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Preface 



Shortly after the April 1986 nuclear accident at the Cher- 
nobyl Nuclear Power Station in the Soviet Union, Secretary of 
Energy John S. Herrington requested that the National Academy 
of Sciences and the National Academy of Engineerirg provide an 
independent assessment of the implications of the accident for the 
safe operation of 11 of the Department of Energy's (DOE) larger 
reactors. In response, the Academies formed the Conunittee to 
Assess Safety and Technical Issues at DOE Reactors, which in 
August 1986 began the study requested by the Secretary. 

This report fulfills a part of the Secretary's request. It provides 
an assessment of safety and technical issues at four of the eleven 
Class A reactors: the K, L, and P reactors located at the Savannah 
River Plant in South Carolina and the N Reactor located on the 
Hanford Nuclear Reservation in Washington. (The C Reactor, also 
located at the Savannah River Plant, was retired in January 1987.) 
These reactors are referred to as "defense production" reactors 
because they are operated primarily to supply the Department of 
Defense with plutonium and tritium for use in nuclear weapons. A 
subsequent report will examine the remainder of the DOE's large 
reactors. 

The N Reactor has operated for nearly 25 years, and the re- 
actors at the Savannah River Plant for over 30 years. During 

vii 



ERIC 



3 



this time, none of :he reactors at either site has had an accident 
approaching the severity of those at either Three Mile Island or 
Chernobyl. Nevertheless, the scale and consequences of the Cher- 
nobyl accident should serve as the impetus for a reexamination of 
all reactors. The review reported in this document was conducted 
by a conunittee whose members are experienced in reactor safety, 
particularly in the commercial and naval reactor fields. 

In conducting the study, the conunittee reviewed extensive 
documentation from the DOE and its contractors, including de- 
partmental orders, testimony before Congress, safety analys<!s and 
incident reports, conjspondence, audit and surveillance repcrts, 
minutes of meetings, and other documents — all extendLig back 
several years. The conrmiittee also made several site visits to 
Savannah River and tn the N Reactor in order to interview indi- 
viduals engaged in management and operations. The conmiittee 
held a number of meetings at which it heard the views of several 
members of a panel of experts (generally known as the Roddis 
panel) that conducted an earlier review of the N Reactor for the 
DOE. The conmiittee also conducted a series of public hearings to 
hear the views of citizens in the immediate vicinity of the plants. 
The committee is grateful to all those who participated. 

One of the committee members, Kai Lee of the University of 
Waahington, is also a member of the Northwest Power Planning 
Council. This council is responsible for formulating forecasts and 
plans for the Pacific Northwest region. In view of the appearance 
of a possible conflict of interest between his role on this committee 
and his responsibilities on the council. Professor Lee has chosen 
to take no part in any of the committee's deliberations on the 
reactors at Hanford. 

Several events occurred in the course of the study that have 
had an impact on the overall status of the production reactors. In 
late 1986, Congress failed to authorize funds requested by DOE 
for the purpose of extending the life of the N Reactor to the year 
2000. In November 1986, the Department of Energy lowered the 
operating power of the Savannah River reactors in response to 
uncertainties regarding the capability of the reactors' emergency 
core cooHng systems. On January 6, 1987, the N Reactor en- 
tered into a prolonged outage in order to implement changes in 
administrative procedures, to conduct tests, and to install addi- 
tional safety equipment. The shutdown was for the express pur- 
pose of responding to the many recommendations that resulted 
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from various post-Chernobyl reviews of the reactor. In the spring, 
Congress considered legislation that would prevent the N Reactor 
from ever operating again unless assurances were forthcoming as 
to the plant's safety. Late in the spring, the Secretary of Energy 
indicated that the Department intended to submit a request for 
funds in the FY 1989 budget for the design of new production re- 
actors, and around the same time the Department made a request 
that the National Research Council separately study the viability 
of selected alternative technologies for such a reactor. 

These changes complicated the conunittee's task. Moreover, 
in response to particular issues associated with events at Savannah 
River and Hanford, the conmiittee prepared two letter reports that 
were submitted to the Secretary of Energy; these are in Appendixes 
C and G, respectively, to this report. 

In language adopted in the House version of the FY 1988 
defense authorization bill. Congress requested that the Academies 
produce a report relating to the safety of operation of the N 
Reactor. The comriittee believes this report is responsive to that 
request. Also late in the spring, members of Congress discussed 
with officials of the National Research Council the possibility of 
the Research Council evaluating whether the N Reactor was ''safe" 
to restart. This report does not reach any conclusions with respect 
to restart. Although the conrniittee brings to its task a wealth of 
experience in the field of nuclear safety, it has neither the legal 
authority nor the capacity to conduct the in-depth scrutiay that 
would be necessary to judge the overall safety of any of DOE's 
reactors. This report should be considered an examination by a 
number of outside experts of a set of particular technical issues 
and uncertainties, and an evaluation of the conceptual soundness 
of DOE's approach to reactor safety. Both the strengths and 
weaknesses highlighted in the report should be understood in that 
light. 

The committee has sought to recommend improvements in 
production reactor safety in a variety of technical areas. But the 
report does not cover all technical issues important to safe reactor 
operation. In particular, the committee does not address such 
issues as safeguards and security, fuel handling and transportation, 
occupational safety, fire protection, quality assurance, or waste 
management. 

In its review of safety issues at the production reactors, the 
committee identified management as a major area of concern. A 
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discussion of the committee's views is presented in Chapter 3. 
The discussion in Chapter 3, however, is not intended to address 
how DOE should manage the safety and production challenges of 
the defense production enterprise as a whole. The production of 
nuclear weapons involves facilities at half a dozen sites containing 
reactors, chemical separation plants, waste management facilities, 
transportation networks, and other activities. DOS's management 
responsibility is to operate this complex of activities safely while 
meeting national requirements for the products. The assurance of 
the safety of the production reactors is but one element of DOE's 
responsibility. 
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Executive Summary 



The United States produces plutonium and tritium for use in 
nuclear weapons at the defense production reactors — the N Re- 
actor in Washington and the Savannah River reactors in South 
Carolina. This report reaches general conclusions about the man- 
agement of those reactors and highlights a number of safety and 
technical issues that should be resolved. The report provides an 
assessment of the safety management, safety review, and safety 
methodology employed by the Department of Energy and the 
private contractors who operate the reactors for the federal gov- 
ernment. 

rhe report is necessarily based on a limited review of the 
defense production reactors. It does not address whether any of 
the reactors is ''safe," because such an analysis would involve a 
determination of acceptable risk — a matter of obvious importance, 
but one that was beyond the purview of the committee. It also 
does not address whether the safety of the production reactors is 
comparable to that of commercial nuclear power stations, because 
even this narrower question extended beyond the charge to the 
committee and would have mvolved detailed analyses that the 
committee could not undertake. (In addition, the committee did 
not address such specific issues as restart of the N Reactor or the 
particular steps necessary to restore full power operation to the 
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Savannah River reactors.) Nonetheless, the committee hopes that 
its study will prompt the Department of Energy, others in the 
Executive Branch, and the Congress to address and resolve the 
safety and policy issues discussed in the report. 

The report is organized in three chapters. Chapter 1, "The 
DOE Safety Framework," exarunes the safety objective estab- 
lished by the Department of Energy for the production reactors 
and the process the Department and its contractors use to im- 
plement the objective. Chapter 2, "Technical Issues," focuses 
on a variety of uncertainties concerning the production reactors, 
particularly those related to potential vulnerabilities to severe ac- 
cidents. While reading Chapter 2, it is important to bear in mind 
that over the years the contractors have emphasized the preven- 
tion of accidents, and the production reactors have been operated 
for more than 25 years without experiencing a major one. Chapter 
3, "Strengthening the Technical Basis of Reactor Safety Manage- 
ment," identifies ways in which the DOE q>proach to management 
of the safety of the production reactors can be improved. 

The report raises many safety questions and considers ways of 
addressing them. This summary presents the principal conclusions 
and recommendations of the report as drawn from Chapters 1, 2, 
and 3. 



THE DOE SAFETY FRAMEWORK 

The stated safety objective for the defense production reactors 
is the achievement of a level of safety comparable to commercial 
nuclear power plants. However, the committee found a high de- 
gree of confusion both within DOE and among the contractor staff 
concerning the safety objective. The committee concludes that 
the Department has not clearly articulated, documented, or im- 
plemented any specific safety objective for its reactors. While the 
conmiittee does not criticize the objective of comparability per se, 
the Department's approach is so imprecise that it fails to provide a 
clear benchmark agamst which to determine whether comparabil- 
ity is being achieved. The absence of clear DOE guidance leads the 
committee to recommend that the Department clarify its safety 
objective and, in the process, provide a safety objective that is 
operationally meaningful to DOE and cc^ntractor staff as well as 
understandable to the public. The Department's safety objective 
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should provide a clear foundation on which the implementation of 
safety can be built. 

In support of the safety objective, the Department sets re- 
quirements for the production reactors through the issuance of 
Department Orders and through its contracts with the corporar 
tions that operate the reactors. However, the committee finds 
that the Department has failed to specify its safety requirements 
clearly, has failed to apply them uniformly at the two production 
reactor sites, and has failed to implement them in a timely manner. 
The committee reconunends that the Department revise its Orders 
so that they specify requirements clearly and establish deadlines 
and that DOE and Congress budget funds for implementation. 

Following the Chernobyl accident, the Department, on an ad 
hoc basis, increased its audits of contractor performance. This 
effort — its recent origin aside — has been conmiendable. The com- 
mittee urges the Department to continue to conduct comprehen- 
sive audits of cortractor performance on a frequent and continuing 
basis and to require prompt responses to these audits from the 
contractors in order to help assure reactor safety. 

T^ . age and unique designs of the production reactors demand 
high levels of technical capability in operating, engineering, and 
support staff. Indeed, increased levels of technological vigilance 
are needed at the defense production reactors. The committee 
reconunends that the Department and its contractors develop an 
expanded in-house capability to address, evaluate, and achieve 
an in-depth understanding of the technical issues associated with 
the safety of the production reactors. Methods and analytical 
techniques that are at least comparable in technical sophistication 
to those used within the conmiercial nuclear industry should be 
developed and used. The analyses and supporting tests arising 
from this effort should be comprehensive in scope and should be 
subjected to thorough outside peer review. 

TECHNICAL ISSUES 

The main body of the report is contained in Ch^)ter 2 and 
consists of evaluations of eleven technical issues pertaining to one 
or both of the production reactor sites. Key conclusions and rec- 
onunendations in Chapter 2 relate to the conimittee's assessment 
of such issues as acute aging phenomena; evaluation of potential 
severe accidents; power operating limits; confinement systems; and 
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the treatment of radioactively contaminated liquid effluents at the 
production reactors. Almost all the issues highlighted in Chapter 
2 deal wholly or in part with phenomena that could accompany 
potential severe accidents at the production reactors. This emr 
phasis derives primarily from the Secretary of Energy's request 
that the committee examine the Department's reactors ''in light 
of the Chernobyl accident The conmiittee stresses in the report, 
however, that attention to the causes and consequences of severe 
accidents cannot in and of itself assure the safety of the produc- 
tion reactors aad must not be allowed to detract from programs 
essential to managing, operating, and maintaining the production 
reactors so that severe accidents do not occur in the firat place. 

One of the key issues identified in Chapter 2 has to do with 
the age of the production reactors. Several other technical issues 
discussed in Chapter 2, such as the conduct of severe accident 
evaluation and probabilistic risk assessments, cannot properly be 
resolved without first answering the question of how long these 
aged reactors are to be operated. The level of effort that should 
be expended to evaluate potential severe accidents or to conduct 
probabilistic risk assessments must be determined from a realistic 
appraisal of the remaining service life of the production reactors. 
Acquiring a detailed understanding of the many potential severe 
accident phenomena to which these reactors may be subject would 
be a time-consuming and expensive undertaking; it would make 
little sense to begin an effort that would not be completed until 
after the reactors are retired. 

The policy and planning process of the federal government 
has not realistically addressed the aging of the defense production 
reactorc. Among previous determinations that have proven to 
be misguided are that the N Reactor would soon be retired and 
therefore need not be modernized and, later, that the life of the N 
Reactor would be extended through the year 2000, and, in the case 
of Savannah River, that the reactors could be operated essentially 
indefinitely. 

The discussion of acute aging phenomena in Chapter 2 de- 
scribes the extent to which the current production reactors display 
symptoms of acute aging that could affect safety and are likely to 
limit their useful lives. The level of uncertainty about how long 
the production reactors can be safely operated is high, and it is 
unknown whether a new production reactor or alternative means 
of supplying strategic nuclear materials will be available before 
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each of the existing reactors encounters some age-related problem 
that precludes safe operation. The conunittee recommends that 
if the United States finds it necessary to have a reliable and safe 
capability for the production erf plutonium and tritium for nu- 
clear weapons, thep planning for new production reactors or other 
alternatives should be accelerated. 

Chapter 2 also discusses the analysis d loss-of-coolant acci- 
dents at the production reactors and the determination of the 
limits of safe power operaticm. Based on preliminary analysis of 
the significant power derating that was put into effect at Savan- 
nah River during the course of the committee's work, the Savannah 
River contractor and DOE believe there is a reasonable expecta- 
tion that the emergency core cooling systems will prevent core 
damage in the event of a hypothetical, design-basis loss-of-coolant 
accident. They are continuing to analyze the problem. Because 
adequate resources have only recently been devoted to develop- 
ing a thoroughly documented understanding of the behavior of 
the Savannah River reactors in a loss-of-coolant accident, the po- 
tential for and consequences of early core heatup caused by flow 
instability in the first few seconds of such an accident at higher 
power levels remain to be explored. The committee reconmiends 
that before restoring full power operation at Savannah River, the 
Department satisfy itself, on the basis of a rigorous external re- 
view, that it has a thorough understanding of the behavior of the 
reactors in a major loss-of-coolant accident. 

The conunittee also concludes that a thorough understand- 
ing of the behavior of the N Reactor in a m^or loss-of-coolant 
accident does not currently exist, and recommends that such an 
understanding be urgently developed. The understanding should 
be based on state-of-the-art analytical tools, and the tools should 
have the ability to analyze potential thermal shock and water ham- 
mer phenomena. The use of these tools shouki be accompanied 
by rigorous quality assurance of the computer codes, as well as 
experimental validation of the results, particularly with respect to 
the distinctive horizontal geometry of the N-Reactor core. 

On the more general issue of severe accidents and their eval- 
uation, the committee concludes that the existing level of under- 
standing of severe accident behavior for the production reactors is 
inadequate to permit a realistic assessment of the effectiveness of 
these designs in mitigating the consequences of severe accidents. 
The conmiittee therefore recommends that near-term decisions on 
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changes in the design and operation of the production reactors be 
guided by simple, physically based models and substantial safety 
margins. For those reactors that have a significant probability of 
being q[>erated beyond the next few years, the Department should 
now commence an in-depth program of severe accident model de- 
velopment and validation. Data from t! e program should be ap- 
plied in a continuing reexamination of the risk of severe accidents 
and a review of the design and (q>eration of the plants. 

The production reactors differ from conomercial nuclear power 
plants in their use of confinement systems (i.e., systems that aim 
to control the release of effluents during accidents) rather than 
renciok containments (systems that aim to totally contain any 
accident release) as barriers to the release of radionuclides. The 
conunittee condudes that, in theory, the omfinement approach 
can provide an acceptable means for mitigating accidents. 

The conunittee also ccmdudes, however, that there are signifi- 
cant uncertainties in the ability of the existing production reactor 
confinements to mitigate the effects of radionuclide releases that 
would be expected to occur during severe accidents. This con- 
clusion rests on a variety of factors. For one, the design of the 
filtration systems that are crucial to mitigating the release of ra- 
dionuclides during an accident has been based <m calculations cS 
the release of radionuclides from degrading reacts fuel. But re- 
search performed in connection with conunercial nuclear power 
plants, as well as recent studies of radionuclide release firom the 
Savannah River reactor fuel, show that this 'source term" may 
be greatly underestimated. Moreover, analyses of the loadmg cS 
the production reactor confinement system filters during hypo- 
thetical accidents have not included adequate consideration of 
nonradioactive particulates. The conunittee recommends that the 
Department demonstrate whether the confinement systems at the 
production reactors have the capabilities (1) to withstand realis- 
tic accident loads, and (2) to provide acceptable attenuation of 
realistic radionuclide releases in the event d a severe accident. 

Hydrogen generation and mitigation is also discussed in Ch^ 
ter 2. Earlier this year, the conunittee issued a letter repcMt to 
the Department of Energy concerning the Department's proposed 
approach to hydrogen mitigation at the N Reactor. (The letter 
is sununarzed in Chi4>ter 2 and included in Appendix G.) In the 
report, the committee reiterates its earlier recommendations that 
its concerns be addressed during the development of a detailed 
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derign to implement the proposed approach at N Reactor, and 
that the detafled design be subjected to an independent review 
prior to adoption. 

The committee also has concerns about the consequences of 
hydrogen generation in an accident at Savannah River. The Sar 
vannah River contractor has developed and proposed to DOE a 
concept for an ^improved confinement system" that the conunittee 
concludes may cause a buildup of hydrogen in a severe accident. 
The ccxnmittee suggests that the proposed system be reviewed to 
evaluate its potential benefits and also its added risks, particularly 
with respect to the enhanced possibility of hydrogen-combustion 
events. 

During normal operation of the N Reactor, radioactively con- 
taminated liquid effluents are discharged from the confinement 
into open, unlined basins. These effluents percolate into the earth. 
Such direct discharges of liquid effluents into the environment 
would also occur fdlowing accidents at either N Reactor or Sar 
vannah River. The direct discharge of radioactively contaminated 
liquid effluents, whether during normal operation or during acci- 
dents, poses a safety hazard and represents an environmentally 
unsound practice. It also represents a violation of the ^asic con- 
finement philosophy with which the reactors were designed. The 
conunittee recommends that the Department establish means to 
protect the environment from the radionuclide-contaminated Uq- 
uid effluents discharged during normal operation of the N Reactor. 
MeLns should also be found at both Hanford and Savannah River 
to prevent the direct discharge of contaminated liquid effluents to 
the environment following an accident. 

STRENGTHENING THE TECHNICAL BASIS FOR 
REACTOR SAFETY MANAGEMENT 

In Chapter 3 the conunittee examines the Department's re- 
lationship with its contractors, its organizational arrargements 
for ensuring the safety of the reactors, and the need for indepen- 
dent oversight. The conunittee concludes that the Department, 
both at headquarters and in its field organizations, has relied al- 
most entirely on its contractors to identify safety concerns and 
to reconunend appropriate actions, in part because the imbalance 
in technical capabilities and experience between the contractors 
and DOE staff is of sufficient magnitude to preclude DOE from 
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properly performing its audit function. There is a strong need for 
comprehensive DOE involvement in the operation of the produc- 
tion reactors. The conunittee reconmiends that the Department 
acquire and properly assign the resources and talent necessary to 
ensure that safe operation is being attained. Changes in DOE 
staffing levels and budgets may be required to achieve such a 
capability. 

The committee found that the Department's ^proach to man- 
agement falls short of reasonable expectation in attempting to cope 
with the mix of production and safety responsibilities. On occa- 
sion, the contractors have pressed for safety upgrades that DOE 
has then rejected for budgetary reasons. The committee believes 
that the Department needs to develop a better q>proach to mak- 
ing budgetary decisions in the face of important safety needs. The 
conrniittee also recommends that, in strengthening the monitoring 
of safety at the DOE production reactors, the Department should 
expand its capability to sponsor research, conduct and review 
safety analyses, evaluate operations, analyze trends, and assess 
proposed plant upgrades. The Office of the Assistant Secretary 
for Environment, Safety, and Health should have a permanent and 
significant onsite presence with a formal reporting relationship be- 
tween onsite personnel and headquarters staff. The Office should 
have more direct access to and involvement in the resolution of key 
safety issues on a timely and effective basis, as well as a central 
role in internal budgetary decisions of DOE. 

The committee concludes that the Department's safety over- 
sight of the production reactors is ingrown and largely outside 
the scrutiny of the public. Weaknesses in management of the de- 
fense production reactors have led to a loose-knit system of largely 
self-regulated contractors operating within budgetary constraints 
imposed by and on the Department. 

In light of the conflicting responsibilities of the Department 
to meet production requirements and assure safety, the committee 
considered whether to recommend the creation of an entirely n^w 
management structure responsible solely for assuring the safety of 
the production reactors. In lieu of transferring the Department's 
reactor safety responsibilities to the Nuclear Regulatory Commis- 
sion or to some new entity also totally outside DOE, the committee 
recommends that an independent, external safety oversight com- 
mittee, advisory to the Secretary of Energy, be established. The 
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oversight committee should possesf* the following features: mem- 
bers should be of recognized stature with expertise covering the 
full range of disciplines relevant to reactor safety; members should 
include individuals from outside the DOE conmiunity; the com- 
mittee should have authority to set its own agenda; the conmiittee 
should be authorized to review both the product and the pro- 
cess of the Department and contractor efforts, including review of 
design, safety analysis, operations, management, inspection, and 
enforcement; the conunittee should be supported by a full-time, 
technically qualified staff because it could not function effectively 
without one, and by a budget adequate for obtaining external 
technical assistance as required; and the bulk of the conmiittee's 
work should be unclassified and available to the public. The com- 
mittee further recommends that the Department encourage each 
contractor to establish a permanent visiting committee of outside 
experts to review and assess the implementa-;;on of safety initia- 
tives and to report to contractor management at the site and at 
corporate headquarters. In sum, the committee concludes that 
DOE can accomplish the reactor safety functions assigned to it by 
Con^ss if the Department dedicates itself to the task, although 
the passage of time may demonstrate that more radical measures 
should be adopted. 

Fmally, the committee notes that the technological vigilance 
required to assure safety at the DOE reactors cannot be generated 
from organizational structure alone. Within even a large, properly 
structured organization, safety is a reflection of institutional com- 
mitment and capability. Leadership at the policy-making level is 
essential, and dedication to safety must permeate the Department 
of Energy. DOE has made recent strides in this direction, but its 
efforts need to be bolstered, institutionalized, and sustained. 
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Introduction 



On April 26, 1986, Unit Four of the Chernobyl Nuclear Power 
Station in the Soviet Union was destroyed in a nuclear accident 
much more severe than any previous nuclear accident in history. 

In the United States the response was prompt and vigorous, 
and is continuing. The Secretary of Energy took several immediate 
steps to review the near- and long-term safety of reactors owned 
and operated by the U.S. Department of Energy (DOE). At the 
Secretary's request, the National Academy of Sciences and the 
National Academy of Engineering formed a committee to assess 
safety and technical issues associated with the continued operation 
of the DOE*s Class A reactors — those capable of operating at over 
20 MW of thermal power (MWT). This report is a product of 
the committee's efforts It focuses on the four remaining "defense 
production" reactors operated by the Department for the purpose 
of producing nuclear weapons material. 

THE DEFENSE PRODUCTION REACTORS 
N Reactor 

N Reactor is situated on the Columbia River, within the Han- 
ford Nuclear Reservation, in the south cent'-al part of the state 
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of Washington. It is a pressurized, light- water cooled, graphite- 
moderated reactor rated a 4000 M WT. Steam can be suppUed to 
turbine generators owned by the Washington Public Power Supply 
System ( WPPSS) to produce about 860 MW of electricity. Con- 
struction of the N Reactor was authorized in 1958, and the reactor 
began operation in 1963; it achieved its full power rating in 1964. 

The reactor uses metallic uranium fuel clad with zircaloy to 
produce weapons-grade plutonium. The fuel is held in horizontal 
tubes and cooled by pressurized water. The zircaloy pressure tubes 
containing the fuel rods pass through a large graphite moderator 
stack. 

The reactor safety systems include 84 horizontal boron-carbide 
control rods that can be automatically inserted into the core in 
one second; & backup system of boron-carbide balls (neutron ab- 
sorbers) that can be released from hoppers above the core and that 
fall into the core as a result of gravity; an emergency core cooling 
system; a graphite and shield cooling system; and a confinement 
system designed to vent pressures greater than 5 psig that are 
expected early in any accident and then to filter any subsequent 
releases of radioactive materials. The reactor is currently operated 
by Westinghouse Hanford Company. 

In recent safety reviews of the N Reactor, attention has been 
focused on several key issues, including swelling of the graphite 
moderator stack under neutron irradiation; embrittlement of the 
pressure tubes under prolonged neutron irradiation and hydrogen 
exposure; lack of means to detect and mitigate problems that could 
result from concentrations of combustible gases that might be gen- 
erated during an accident; performance of the confinement system 
during an accident; and contamination of the environment by liq- 
uid effluents released both routinely and in the aftermath of an 
accident. Prior reviews of the N Reactor have also prompted DOE 
to accelerate the performance of a probabilistic risk sissessment, 
a method that can be useful for analyzing some of the foregoing 
concerns (see Chapter 2); that assessment is still in progress. 

Savannah River Reactors 

There are three Savannah River production reactors — desig- 
nated K, L, and P — located on the Savannah River Plant site 
in South Carolina, near the border with Georgia. The K and P 
reactors are used mainly to produce tritium, while the L Reactor is 



3 



currently only used to produce plutonium-239. A fourth reactor, 
the C Reactor, was retired in January 1987, and a f ^h reactor, 
the R Reactor, was shut down in 1964. L Reactor was restarted 
in 1985 after a 17-year hiatus. All of the Savannah River reactors 
are low-pressure, heavy-water cooled and moderated reactors of 
generally similar design — each with a maximum achieved power 
of about 28(X) MWT. The fuel in the Savannah River reactors is % 
uranium-aluniinum alloy clad in aluminum. Unlike the N Reactor, 
the plants are not also used for power production. Operation of 
the first Savannah River reactor began in 1953, at a design power 
level of about 300 MWT; the plants have been upgraded to the 
current power level. 

The changes in plant design that were necessary to achieve 
higher power levels led to concerns on the part of the Advisory 
Committee on Reactor Safeguards, especially with regard to the 
emergency core cooling systems and the confinements. These 
changes were reviewed at first on the basis of the military ne- 
cessity of the plants. Later, the changes were modified according 
to the need to adhere as closely as possible to the principle of 
comparability of the safety of the production reactors with the 
first commercial reactors *hen undergoing Ucensing. 

The principal reactor safety systems of the Savannah River 
reactors consist of 427 control rods that can be inserted in less 
than two minutes; 66 additional safety rods driven by gravity that 
can be fully inserted into the core in less than two seconds; a 
backup neutron-absorbing liquid injection system that is designed 
to be effective in 0.7 seconds; an emergency core cooling system 
with three independent leed lines (a fourth addition line is being 
installed in each reactor); and a confinement system with filters to 
reduce radioactive release in the event of a severe accident. E.I. du 
Pont de Nemours k Company has c^erated the Savannah River 
Plant since the start of constructi. in 1950. 

A number of safety issues has been identified at Savannah 
River in recent DOE reviews. For example, although the Sa- 
vannah River reactors have undergone extensive upgrading and 
modification, they show definite and understandable signs of ag- 
ing. One of the most serious aging phenomena affects the reactor 
coolant system. Stress and corrosion have led to the formation 
of cracks and pinholes at the location of weld-induced stresses. 
Cracks in the reactor vessel caused C Reactor to be removed from 
operation in 1985 and retired in 1986. 
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Uncertainties regarding the efi .:acy of emergency core cool- 
ing during a hypothetical, worst case, loss-of-coolant accident, 
including those identified by Ihis conunittee, led to a 50-percent 
reduction in permissible operating power level at the K, L, and P 
reactors between November 1986 and March 1987. The ability of 
the Savannah River confinement system to withstand pressures, 
temperatures, and aerosol releases associated with a severe ac- 
cident has also been called into question. Upgrades are under 
development. Probabilistic risk assessments that evaluate more 
severe accidents than those contemplated in the design of the 
reactors are Iso under way. 

COMPARISON OF THE N REACTOR TO THE RUSSIAN 
RBMK REACTOR 

Press reports aftei the Chernobyl accident called attention to 
a superficial similarity of the N Reactor to the Russia . RBV I 
reactor (of which the Chernobyl plant is an example): both use 
graphite as a neutron moderator, both use light water as a coolant, 
and both were alleged to have similar confinement systems, which 
allow a filtered release to the environment following an accident, as 
opposed to the containment structures used by commercial nuclear 
reactors, which are intended to limit releases to the leak rate of the 
buUding. Many of these reports suggested that the two reactors 
were susceptible to similar accidents. However, these suggestions 
were misleading because they overlooked important difierences 
between the two reactor designs, ''^he following discussioa shuws 
why the committee chose to approach N- Reactor safety in terms 
of issues identified in the course of the study rather than in terms 
of any real or apparent parallels with the Chernobyl reactor. 

The physical layout and design of fuel and graphite in the 
RBMK differ fundamentally from the layout and design of fuel and 
graphite in the N Reactor. The RBMK is a boiling water reactor 
(that is, under normal operating conditions steam is formed within 
the fuel tubes), while the N Reactor is a pressurized water reactor 
in which pressure is maintained at a level that precludes boiling 
of the coolant within the reactor core under normal operating 
conditions. The configuration of the graphite and fuel within the 
RBMK leads to a so-called "positive void coefficient." That is, if 
power increases for some reason, the reactor heats up and a greater 
volume of steam is formed within the fuel tubes. This increased 
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steam volume, or "voia .a the cooling water, causes power to 
increase further — a potentially unstable condition. By contrast, 
the configuration of the fuel and graphite in the N Reactor has 
heea designed deliberately so that should steam form within the 
fuel tubes, the power of the reactor would decrease. As a result of 
this design, there is an inherent stability in the operation of the 
N Reactor that is not available in a reactor with a positive void 
coefficient. 

An intense fire at the Chernobyl reactor was caused by the 
burning of the lar^e graphite stack that was used as a moderator. 
After the explosion that breached the Chernobyl reactor vault, 
air was able to circulate through the reactor core and provide 
oxygen that fed the fire, complicating efforts to bring the plant 
under control and probably exacerbating the release of radionu- 
clides to the environment. The graphite fire at Chernobyl had 
no part in initiating the accident. It was a result of the extreme 
conditions (high temperatures and air ingress) introduced by the 
preceding, highly destructive thermal explosion. Notwithstanding 
the problems exacerbated by the Chernobyl fire, the presence of 
grq)hite in a reactor system can enhance reactor safety. Graphite 
has a high heat capacity, which slows the rate of temperature rise 
in the reactor core, thus mitigating the effects of some potential 
accidents. Many possible severe accidents in graphite-moderated 
reactors (but not those involving a reactivity excursion such as 
that at Chernobyl) ^-ould be expected to develop slowly, allow- 
ing time for remedial actions that can bring the accident under 
control. 

The Chernobyl reactor also relied solely on slow-moving con- 
trol rods to control reactivity. Although these depended only upon 
gravity to insert into the core, they were inserted against a counter 
flow of coolant so that a full ?0 seconds was required for a control 
rod to move from the full-out to the full-in position. Moreover, 
the control rod design of the RBMK is such that after the con- 
trol rods have been fully withdrawn, subsequent insertion causes 
reactivity first to increase slightly and it only decreases upon fur- 
ther insertion. This initial reixtivity addition further exacerbated 
the reactivity excursion in the Chernobyl accident. By contrast, 
insertion of the N-Reactor control rods does not lead to an initial 
increase in reactivity, and the rods are driven in by hydraulic pres- 
sure. The time for insertion from the full-out position is less than 
two seconds — a fraction of that at Chernobyl. In addition, the N 
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Reactor has a secondary shutdown system of boron carbide balls 
that in an emergency would drop into the reactor from hoppers 
located above the core. The boron would absorb neutrons and halt 
the chain reaction in the fuel. If this mode of shutdown were called 
upon, the balls would drop to their final positions in less than two 
seconds. The N Reactor thus has redundant control systems that 
are much faster than those available in the Chernobyl design. 

The containment of an RBMK, called an "accident locaUza- 
tion system," consists of several isolatable compartments, each of 
which is designed to withstand the rupture of the largest pipe 
in the compartment. This design contrasts with the containment 
design used in power reactors in Western Europe and the United 
States. Western-style containment structures surround the reactor 
system with a single large volume, which is similarly designed to 
withstand the rupture of the largest pipe within the volume. The 
accident localization system of an RBMK is intended to limit the 
release of radioactivity from the plant in the event of an accident by 
retaining the radioactivity within essentially leak-tight volumes. 
The accident localization system also prevents the spread of ra- 
dioactive contamination within the reactor. During the accident 
at Chernobyl, pipe ruptures were far more extensive than that con* 
sidered in the design of the compartments of the RBMK accident 
localization system. As would happen in any containment sub- 
jected to loads weU in excess of the design, overpressurization and 
rupture of the containment resulted and led to massive releases of 
radioactivity from the plant. 

The confinement concept employed for the N Reactor (and 
the Savannah River leactors as well) is quite different than the 
containment concepts employed either in the Soviet Union or at 
U.S. commercial plants. In the event of an accident, the confine- 
ments deliberately vent the atmospheres surrounding the reactors. 
The confinements do not then need to withstand prolonged high 
pressures. The design basis accident assumes that the release of ra- 
dioactivity will not accompany the early large increase in coolant 
pressure and evolution of steam, so that the initial venting will 
not release radioactivity to the environment. When the initial 
pressure pulse has passed, the vent valves are designed to close 
based on the reduction in pressure. Attenuation of the ensuing 
radioactivity release can be accomplished because the venting of 
the confinements is along pathways equipped to trap much of the 
radioactive material in the atmosphere. Releases of radioactive 
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noble gases are not ameliorated by the confinement systems, hui 
catastrophic rupture of the confinements by over-pressurization 
leading to wholesale release of all types of radioactive material is 
thought by the contractors to be unlikely. 

Nevertheless, an important issue remains. Loads that would 
result from severe accidents at the production reactors could ex- 
ceed those used as the design basis and the question is whether 
such loads would cause the confinement function to fail. The 
need for consideration of potential loads in very severe accidents 
is discussed in Ch^>ter 2 of this report. 

Although the designs of American reactors are quite dissimilar 
from the RBMK design, there are lessons from the Chernobyl ac- 
cident that can be ^>plied at all nuclear plants, including the U.S. 
production reactors. Perhaps the most important lesson is that 
a severe accident can occur unless design and operation are ap- 
proached with care and integrity. The Chernobyl design revealed 
inadequate consideration of severe accidents, and lack of vigilance 
allowed direct violation of accepted safety practice by plant op- 
erators and their supervisors. Another lesson of Chernobyl is the 
importar'^e of understanding the mechanisms and consequences 
of severe accidents. Operators must have this understanding or 
they may induce an accident by violating rules they do not under- 
stand. Although the accident mitigation systems and emergency 
operating procedures normally in use at Chernobyl may have been 
consistent with the design basis accident for the RMBK reactor, 
the unavoidable fact is that an accident more severe than the 
design basis did occur. 

POSITIVE SAFETY FEATURES OF THE PRODUCTION 

REACTORS 

In addition to their relatively isolated locations, the Savannah 
River and N reactors have certain design and operational char- 
acteristics that stand out either because of their uniqueness or 
because they are highly desirable from the point of view of min- 
imizing both the likelihood and the extent of accidents. These 
features provide a general background to the particular safety 
issues raised in Chapter 2. 
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• The Savann&h River and N reactors have been operated 
for over 25 years. There is extensive operating experience with the 
reactors. 

• Both the Savannah River and N reactors operate under 
negative void and power coefficients (the latter refers to a decrease 
in reactivity with an increase in reactor power). This makes for 
more stable operation, simpler ccmtrol systems, and resilience in 
responding to increased power conditions should they occur. 

• In both types of reactors, the control mechanisms are de- 
signed to enter the core in low-pressure regions. At Savannah 
River, the reactors are operated at low temperatures and pres- 
sures. At N Reactor, the control rods are inserted into the graphite 
stack through cooling channels that are separate from the high- 
pressure process tubes. This not only facilitates and accelerates 
insertion of the control mechanisms but largely eliminates the po- 
tential for events that could result in accidental ejection of those 
mechanisms. 

• Both types of reactors have backup shutdown systems. 
Each of the Savannah River reactors has a liquid (gadolinium 
nitrate) injection system, and the N Reactor has a system of 
boron carbide balls that makes use of gravity for insertion into the 
core. 

• Both types of reactors have emergency core cooling sys- 
tems that can be reliably activated. The Savannah River reactors 
emergency core cooling systems are powered by diesel generators 
that run continuously, and there is a virtually unlimited sup- 
ply of cooling water. The N Reactor also has a highly reliable 
power system for its emergency core cooling system — with steam- 
driven power generation and diesels — and is further protected by 
a graphite cooling system (cooling tubes that run through the 
graphite moderator at right angles to the pressure tubes). For to- 
tally unprotected loes-of-coolant accidents, the large heat capacity 
of N Reactor's large graphite moderator stack would delay any 
long-term heatup. 

• The Savannah River reactors operate at much lower pres- 
sure and temperature than either the N Reactor or commercial 
power reactors. Consequently, their stored energy is significantly 
lower and any sudden release of energy would be relatively less 
damaging. 
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These positive features should be borne in mind as the various 
issues discussed in the subsequent chapters are examined. 

ORGANIZATION OF THE REPORT 

The report is organized in three main topics. Chapter 1 exam- 
ines the overall DOE safety system, and the particular philosophy, 
objectives, orders, and standards that govern the safety of the pro- 
duction reactors. Ch^>ter 2 addresses a coUection of significant 
safety-related technical issues. CThapter 3 assesses the manage- 
ment structure through which DOE and its contractors pursue 
safety. Throughout, the conmiittee has sought to recommend ac- 
tions that, if implemented, can provide a basis for establishing an 
adequate safety system, for resolving urgent technical issues, and 
for instituting a management arrangement that leads to indepen- 
dent safety oversight of the defense production reactors. 
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Safety results from the firm implementation of sound concepts. 
Chapters 2 and 3 discuss technical and organizational aspects of 
implementation; this chapter examines the conceptual foundation 
of safety at the Department of Energy (DOE) reactors. 

With respect to the production reactors, the DOE has estab- 
lished 1 safety system that consists of three major elements: 

• A safety objective, 

• Orders that prescribe the meaos for achieving the objective, 

and 

• A process for ensuring and verifying compliance. 

The committee concludes that DOE's conception and implemen- 
tation of each of these elements is less comprehensive, understand- 
able, and consistent than necessary to assure the continued safety 
of the defense production reactors. 

In addition, DOE production reactors have unique designs, 
making incorporation of operating experience elsewhere a difficult, 
and often impossible, task. This imposes a special burden on the 
DOE safety system, as compared with the commercial industry 
where there are multiple units of similar design, and requires a 
high degree of technological excellence in the DOE and contractor 
staffs. As described later in this report, the level of technological 
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vigilance that these organizations are currently applying to the 
assurance of safety is inadequate to the task. 

THE SAFETY OBJECTIVE 

Conclusion: The Department of Energy ha$ not clearly articu- 
lated, documented, and implemented a safety objective for the 
operation of its production reactors. 

The design, construction, and early operation of DOE's pro- 
duction reactors preceded the establishment of commercial reactor 
regulations. Moreover, the production reactors themselves differ 
significantly from commercial power reactors in purpose, design, 
and operaticmal characteristics. These considerations have made 
it impractical to adopt directly regulations established by the Nu- 
clear Regulatory Commission (NRC) for ^plication to the DOE 
production reactors. Nonetheless, DOE has publicly embraced 
the general objective of ensuring that DOE nuclear reactors are ' t 
least as safe as comparable NRC-licenaed nuclear power plants. 

Thus, the keystone of DOE's approach is "'comparability"— 
the goal of making DOE reactors at least as safe as conmier- 
cial nuclear reactors. Comparability is the guiding philosophy for 
DOE's Orders to its contractors and its procedures for ensuring 
and verifying compliance. Nonetheless, the conunittee concludes 
that comparability is at best an inexact guideline, so that the 
safety achieved in practice at the DOE reactors cannot be clearly 
related to conmiercial regulatory standards. It is important to 
observe, in this connection, that the inability to compare safety 
levels does not imply that the DOE reactors are unsafe. 

The stated DOE objective of comparability with commercial 
reactors emerged In the 1960s— at the time of the development 
of conmiercial reactor licensing. The Atomic Energy Conmiis- 
sion (AEC) asked the contractors for the production reactors to 
conduct safety analyses using the safety philosophy on which the li- 
censing process was based. The purpose was to determine whether 
modifications were needed in the production reactors to achieve 
the same level of safety required of conmiercial-reactor license 
applicants. 

The safety philosophy that came to be used to oversee the 
production reactors is similar to that used to regulate commercial 
reactors. The central idea is ^design-basis accidents," hypothetical 
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scenarios used to establish design requirements and set operating 
limits for the plants. These accidents were not defined as the most 
severe accidents that could be envisioned, but rather were less 
serious accidents that, although viewed as improbable, were con- 
ceivable occurrences. A "single failure" criterion was also used in 
assessing designs; a safety system was to be available to perform its 
function even if one active component of the system was assumed 
to have failed, in addition to whatever failures were assumed to 
have initiated the postulated accident. The purpose of the single 
failure criterion was to promote reliability by requiring redundancy 
and diversity in systems that must mitigate accidents: either two 
separate and independent systems of each kind or a backup system 
capable of saving the reactor if the primary system were to fail. 
The use of these principles in the analysis of the production reac- 
tors, years after the plants were constructed, led to the installation 
of backup safety systems and other safety equipment, which are 
believed to augment significantly the safety of the reactors. 

Today, the objective of comparability is included in DOE Or- 
ders, in the Department's contract with Du Pont at Savannah 
River, and in the contractors' safety analyses of the production re- 
actors, as well as in evaluations by DOE headquarters and the field 
organizations of contractor performance i^^ selected technical ar- 
eas. Furthermore, the DOE contractors have explicitly suggested 
in s^ety analyses that levels of safety comparable to those attained 
at commercial reactors have in fact been achieved at the DOE re- 
actors. The DOE reactors are, however, quite different in design 
and performance from the commercial reactors. In light of those 
differences, it is extraordinarily difficult to provide a consistent or 
clear specification at the engineering level of what comparability 
means, nor of the methods to demonstrate that comparable levels 
of safety are in fact being achieved. This may explain why the 
conmiittee received contradictory statements from DOE officials 
as to whether comparability was actually the objective for these 
plants. Because of these facts, perhaps the only way to clearly 
specify comparable levels of safety is to use probabilistic estimates 
of the frequency of core-damage accidents or the frequency of large 
offsite releases of radioactivity. But neither of these can be calcu- 
lated with suffinent confidence of accuracy to be of any actual use 
to DOE or its contractors in making safety decisions at the pro- 
duction reactors. Thus, although comparability has been a useful 
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tool that over the years has motivated improvements in safety sys- 
tems in the production reactors, it has not served — and perhaps 
cannot — as a clear safety benchmark. 

DOE has not specified the levels of safety that must be at- 
tained, and the concept of comparability is not sufficiently concrete 
to provide adequate guidance in the absence of such a specification. 
With no clear object i>f; spelled out, judgments and interpretations 
are made in a decentralized fashion. This has resulted in the arbi- 
trary and inconsistent application of commercial standards at the 
t9^'j production sites. For example, in order to demonstrate com- 
pliance with th^ commercial reactor limits on radiation doses at 
the site boundary during accidents, as reflected in the NRC's siting 
criteria (10 CFR 100), assumptions must be made concerning the 
hypothetical performance of the production reactor confinement 
systems in preventing the release of radionuclides as compared to 
commercial reactor containment 'systems. (The application of the 
NRC site criteria to the Savannah River and N reactors is discussed 
in Appendix H.) These assumptions have not Leen articulated and 
examined in a systematic fashion. DOE needs either to clarify the 
purposes for which 10 CFR 100 is to be used or develop a more 
meaningful standard for assuring public health and safety. 

There are other commercial standards for which the question 
is not so much how the standards have been applied, but whether 
they have been applied at all. For example, although DOE Orders 
require the application of the NRC's general design criteria for 
modifications to production reactor safety systems, the need to 
comply with those criteria is contingent upon a determination by 
DOE that safety would be significantly improved by such com- 
pliance. It is unclear what process is to be used to make such a 
determination. The recent DOE Design Review of the Savannah 
River reactors compared the reactors against the NRC's require- 
ments and found that the reactors do not mee^ aeveral important 
criteria. 

In summary, there is no clear explanation of how compara- 
bility is or should be used in the design, operation, and safety 
review of the DOE reactors. The committee's interviews with 
DOE and contractor personnel raise an even more fundamental 
concern; those interviews indicate that the objective of attaining 
comparable safety is neither consistently applied nor fully accepted 
by DOE and its contractors. The confusion and disagreement over 
the basic safety objective for the production reactors may help to 
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explain why DOE and its contractors have been slow in developing 
programs for upgrading these facilities to maintain safety margins, 
and why they have been slow to address a range of issues related 
to the potential for severe accidents. Furthermore, the commit- 
tee was told in interviews that, in the past, the contractors have 
pressed for safety upgrades that DOE has then rejected for bud- 
getary reasons. In short, the safety objective is so imprecise that 
it does not provide a means to establish whether improved safety 
is needed nor does it illuminate how urgently the improvements 
are required. 

The committee does not take issue in principle with the goal 
of comparability. As the idea is put into concrete form in DOE 
Orders and in contractor behavior, however, the weaknesses of the 
philosophy of comparable safety become apparent: 

• There are few quantitative standards to use. 

• Extensive discretion in the application of commercial stan- 
dards is left to DOE staff and contractors. That discretion is not 
subject to explicit guidance. 

The committee recognizes, in addition, that objectives other than 
comparability may be equally valid, including the promulgation 
of quantitative safety goals, such as those adopted by the NRC. 
Whatever safety objective is chosen, however, it is essential that 
a practical and demonstrable system to implement that objective 
be established. A logical framework of standards and safety per- 
formance criteria must be instituted to ensure that the desired 
level of safety is achieved and maintained. Any objective without 
such a supporting framework will not provide a consistent basis for 
decisions concerning production reactor design, modification, and 
operation, and will, in our view, fall short of public expectations 
for the safety of DOE's facilities. 

Recommendation: The Department of Energy should clarify 
its safety objective for operation of the production reactors. 
The objective should be operationally meaningful to DOE and 
contractor staff, and understandable to the public. It should 
provide a clear foundation on which the implementation of 
safety can be built 

DEPARTMENT ORDERS 

Conclusion' The Department of Energy has failed to specify 
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clearly the safety requirements imposed by its Orders, has failed 
to apply them uniformly at the two reactor sites, and has failed 
to implement them in a timely manner. 

DOE regulates the production reactors by promulgating Or- 
ders that, as a result of contractual provisions, must be followed 
by the contractors. Table I.l presents a list of the main safety- 
related Department Orders that currently apply to the production 
reactors. (Each of these Orders is briefly described in Appendix 

The committee finds significant ambiguity in many of the 
Orders and a lack of vigorous and timely implementation. In 
several instances the requirement in an Order refers to an NRC 
or industry standard but is either so qualified or so ambiguous as 
to raise doubt as to whether the standard is actually applicable. 
For example, reactor personnel are required to meet the training 
and qualification requirements of ANS 3.1 only ^to the extent 
appropriate." The relevant NRC regulatory guide ^need only be 
considered." Plant modifications only have to meet the NRC's 
general design criteria if and when DOE determines that safety can 
be "significantly improved." Contractors are required to document 
technical specifications, but the technical specifications themselves 
need only be "similar to those required for comparable facilities 
licensed by the NRC. . . ." Although a DOE Order states that an 
ANSI/ASME industry standard for quality assurance programs 
"... is the preferred standard for quality assurance," the order 
elsewhere states that DOE encourages "the judicious and selective 
application of elements of appropriate, recognized standards . . ." 
for quality assurance programs. 

DOE Order 5480.4 specifically addresses the question of stan- 
dards. It defines five sets of industry codes as "mandatory environ- 
ment, safety, and health (ES&H) standards" that DOE contractors 
are required to meet as a matter of DOE policy, but only if and 
when DOE determines that their application would increase safety. 
The committee could find no formal documentation that such a 
finding had ever been made. In addition, DOE Order 5480.4 lists 
many "reference ES&H standards," which are described as "ref- 
erences on good practice." * But the reference standards are not 
prescribed for operation of the reactors and are not implemented 
in a timely fashion by the contractors. 

One instance of significant delay in application of standards 
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TABLL 1 1 DOE Re&etor Safety Ordert 



Order No 


Title 


Date Issued 
or Revised 


1300.2 


DOE SUndardt Program 


12/18/80 


i>4oU / 


rire I'roceccion oi ijKjts raviiivicf 




5484.1 


Environmental Protection, Safety, and 
Health Protection Information Reporting 
Requirements 


8/13/81 


5500.2 


Emergency Planning, PreparedneM, aiid 
Response for Operations 


8/13/81 


5500 3 


Reactor and Nonreactor Nuclear Facility 
Emergency Planning, Prepat^edness, and 
Response Program for DOE Operations 


8/13/81 


5500 4 


Public Affairs Policy and Planning 
Requirements for Emergencies 


8/13/81 


5480.4 


Environmental Protection, Safety, and 
Health Protection Standards 


5/lo/o4 


5000 3 


Unusua' Occurrence Reporting System 


11/07/84 


5480 IB 


Environmental Protection, Safety, and 
Health Protection Program for DOE 
Operations 


9/23/86 


5480 6 


Safety of DOE-Owned Reactors 


9/23/86 


5481 IB 


Safety Analysis and Review System 


9/23/86 


5482 IB 


Environmental Protection, Safety, and 
Health Protection Appraisal Program 


9/23/86 


5700 6B 


Quality Assurance 


9/23/86 



relates to the environmental qualification of reactor electrical 
equipment — that is, documented assurance that electrical systems 
are capable of operating for prolonged oeriods under potential ac- 
cident and post-accident conditions. Environmental qualification 
of equipment is a general design criterion for commercial reactors 
(covered in 10 CFR 50, Appendix A), and was a "recommended" 
DOE standard as early as 1981. In 1984, DOE issued Order 
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5480.4, upgrading the environmental qualification requircnent to 
a "mandatory" standard. The contractor at the N Reactor then 
hired the General Electric Company (GE) to assess the need to 
environmentally qualify certain systems at N Reactor. GE sub- 
mitted a report in March 1986 that stated that some systems 
would need to be qualified to meet the applicable standards. The 
contractor's current environmental qualification program has been 
incorporated into the N-Reactor accelerated safety enhancement 
program, but it will be several years at least before all of the equip- 
ment in the plant can be reviewed to determine what needs to be 
upgraded to meet the standard. Obviously, such delayed applica- 
tion serves to limit the effectiveness of the standard in assuring 
safety. In this case, however, there has been delay upon delay: a 
delay of some seven years from the time the NRC passed its envi- 
ronmental qualification rule to the time DOE issued its standard, 
plus additional delay in implementing the standard after DOE 
issued it. 

The conmiittee found several other indications that DOE does 
not always vigorously ensure that all of the requirements imposed 
by its Orders are implemented in a timely manner. In some cases 
the Orders have not been implemented, appaiently because of 
limited staffing of the field offices. In other cases DOE's extension 
of a formal waiver has allowed a delay in implementation. 

For example, in 1977, the operating contractor for the N 
Reactor suggested that a better system for the control of liquid 
effluents was necessary, but DOE did not accept the UNO proposal. 
However, on March 20, 1984, DOE issued an Order (DOE Order 
5820.2) that stated, in effect, that a discharge of liquid effluents to 
the sand cribs at the N Reactor was unacceptable. DOE directed 
that: 

DiBpoial operationi involving discharge of Hquid Low Level Waste 
(LLW) directly to the environment or on natural soil columns 
shall be replaced by other techniques such as solidification prior 
to disposal or in-place immobilisation, unless specifically approved 
by Heads of Field Organisations, in consultation with [DOE head- 
quarters]. 

The Order is still not applied to N Reactor, however, because a 
waiver was granted authorizing continued use of cribs. In light of 
the $80 million to $100 million cost to upgrade the effluent control 
system and the limited lifetime cf the facility, it is possible that 
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the waiver will be extended throughout the remaining life of the 
reactor. 

Recommendation: The Department of Energy should revise its 
Orders to specify clearly the requirements imposed and dead- 
lines for implementation. In addition, DOE and Congress 
must provide adequate funds for implementation. 



VERIFICATION OP COMPLUNCE 

Conclusion: DOE headquarters has only recently undertaken 
appraisals of field organization and coutractor safety programs 
that are comprehensive and related to the Department's safety 
objective. 

Prior to the Chernobyl accident, DOE headquarters appraisals 
of DOE field organization and contractor reactor safety programs 
were only infrequently conducted. For example, in the six years 
prior to the Chernobyl accident, there were two headquarters 
appraisals of reactor safety at Savannah River (in 1982 and in 
1986, just before the accident) and orly one at Hanford. 

The extent of headquarters' involvement vith the DOE field 
organizations and the contractors began to change with the ap- 
pointment oi a new Secretary of Energy in 1985. One of the 
Secretary's first acts was to request a review of the soundness of 
the Department's ES&H programs. That review ultimately led 
to the consolidation of the DOE's ESkH functions under a single 
Assistant Secretary and to the initiation of what was expected to 
be a short-term program of headquarters appraisals of the field 
organizations and their nuclear contractors. These were to be di- 
rected by the new Assistant Secretary and her staff. A schedule 
for the technical saT^^^ty appraisals was drawn up in the months 
preceding the Chernobyl accident. 

The accident prompted DOE to accelerate its schedule of 
appraisals and to organize teams of outside experts to conduct 
additional reviews: separate design reviews of the Savannah River 
and the N reactors; a special safety review of the confinement and 
graphite features of the N Reactor; six independent reviews of the 
overall safety of the N Reactor by a group of outside experts (the 
so-called Roddis panel); and the review by this committee. Taken 
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together, these reviews represented the first thorough and inde- 
pendent evaluation of the production reactors since the breakup 
of the AEC. 

It is unclear what the future relationship between headquar- 
ters and DOE field organization appraisals will be, or the extent 
to which commercial standards for reactor design and operation 
will continue to be used to provide criteria for evaluating contrac- 
tor performance. Adequately sorting out the former will require 
changes in organizational structure of the kind addressed by the 
committee in Chapter 3, while the latter cannot be properly ad- 
dressed until DOE establishes a meaningful safety objective and 
the supporting standards to implement it. 

Recommendation: The Department of Energy should conduct 
comprehensive, high-quality audits of contractor performance, 
including the uhe of substantive engineering analyses and rigor- 
ous inspection procedures, on a frequent and continuing basis in 
order to assure compliance with departmental orders, (Specific 
reconmiendations on the organizational structure to enhance 
the effectiveness of these audits are presented in Chapter 3.) 

TECHNOLOGICAL VIGILANCE 

Conclusion: The age and unique designs of the DOE pro- 
duction reactors demand high levels of technical capability in 
operating, engineering support, and supervisory staff. Levels 
of technological vigilance greater than those found in the com- 
mercial nuclear industry are needed to reach comparable levels 
of safety. 

Rulec, goals, supervision, and evaluations of performance are 
necessary but not sufficient to assure safety. The technical compe- 
tence of workers in both operations and management, in addition 
to their motivation and sense of responsibility, are essential as 
well. The conmiittee views these attributes as aspects of techno- 
lo^^ical vigilance. In light of the unique characteristics of the DOE 
production reactors, high levels of techrological vigilance— higher 
even than those found in the commercial industry — are necessary 
just to meet the objective of providing comparable safety. 

There are two outstanding characteristics that place special 
demands on the management and oversight of the DOE reactors. 
First, the production reactors are older than most of the nuclear 
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reactors currently in operation. Modifications to the reactors and 
their control systems have made the DOE reactors safer than when 
they were first constructed. But they are now more complex than 
when they were new, and the complexity is inimical to safety in 
ways that are not easy to delineate. The aging of components and 
subsystems increases the likelihood of failures and places special 
requirements on the reactors in the areas of maintenance and 
testing. 

Second, the uniqueness of the production reactor designs lim- 
its the applicability of analyses and experience gained elsewhere 
in the nuclear industry. For this reason, the experimental and 
analytical results necessary to determine reactor performance un- 
der accident conditions — which are now being developed by DOE 
contractors — need to be comprehensively and carefully reviewed. 
The difficulties encountered in verifying the performance of emer- 
gency core cooling systems at Savannah River (discussed in Chap- 
ter 2) illustrate the problem well. 

In the committee's view, DOE and its contractors can only 
become a standard*bearer in the field of reactor safety through 
sustained, onsite development of reactor safety technology. In 
particular, methods and analytical techniques that are at least 
comparable in technical sophistication to those used in the com- 
mercial industry need to be developed and utilized in conjunction 
with rigorous peer review. 

Fostering high levels of technological vigilance at the defense 
production reactors requires a combination of high degrees of tech- 
nical expertise and effective management. Some degree of contrac- 
tor staff expansion may be required to conduct the additional an- 
alytical and experimental work needed to assure the safety of the 
reactors. Moreover, given the overshadowing of DOE personnel by 
contractor staff at both Savannah River and Hanford, as discussed 
in Chapter 3, augmentation of the DOE staff is reconunended. 

Recommendation: The Department of Energy and its eontrae^ 
tors should develop an expanded in-house capability to address, 
evaluate, and achieve an in-depth understanding of the techni- 
cal issues associated with the safety of the production reactors. 
Methods and analytical techniques that are at least comparable 
in technical sophistication to those used within the commercial 
nuclear industry should be developed and used. The analyses 
and supporting tests needed to support this effort should be 
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comprehensive in scope and should be subjected to thorough 
outside peer retfiew. 

NOTE 

^ Prior to 1984, DOE made a distinction between "prescribed" 
and "recommended" standards similar to the later one between 
mandatory and reference standards. The earlier distinction was 
as ambiguous with regard to applicability as the later one. 
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Technical Issues 



In the course of its study, the committee identified a number 
of technical issues that should be resolved in order to improve the 
safety of the production reactors. These issues, the topic of this 
chapter, are listed in Table 2.1. Some of the issues relate to design- 
basis accident considerations, but the majority arise principally 
from a consideration of more severe reactor accidents — accidents 
involving disruption and melting of reactor fuel. 

The committee recognizes, of course, that in more than 30 
years of operation there have been no severe accidents at the 
defense production reactors. Yet despite the largely satisfactory 
operating experience of these plants, concerns remain about the 
possible behavior of production reactor safety systems should an 
accident occur. The issues are of two kinds. First, there are 
issues relatiij to safety equipment, such as whether emergency 
core cooling or confinement systems would operate as intended 
in an accident. Second, there are issues relating to operation 
of the production reactors, and, in particular, whether a severe 
accident could inadvertently be triggered and whether the staff 
would respond properly to a severe accident if it were to occur. 

Few industries are judged by their ability to handle severe 
accidents. Commercial aviation, commercial nuclear power, the 
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TABLE 2.1 Technical loauet Covered in Chaptei 2 



Acute a^ng phenomena 

Maintenance and plant noodernisation 

Power operating limits 

Probabilistic risk evaluation 

Severe accident evaluation 

Confinement systems 

Hydrogen generation and mitigation 

Cermet fuel 

Human performance 

Liquid effluents 

Emergency planning 



nuclear weq[>oii8 complex, and, implicitly, defense nuclear materi- 
als production are nonetheless held to this standard. In light of the 
widespread public concern resulting from the Chernobyl accident, 
and because of its considerable experience in conunercial reac- 
tor safety regulation, the committee has stressed severe-accident- 
related issues in its examination of the production reactors. The 
reader f hould recognize that a committee with a different make-up 
could v eil have focused on different topics. In that connection, the 
committee wishes to emphasize that attention to severe accidents 
cannot in and of itself assure the safety of the production reac- 
tors and must not be allowed to detract from programs with more 
inmiediate benefits — namely, those programs essential to manag- 
ing, operating, and maintaining the production reactors so that 
accidents do not occur in the first place. 

ACUTE AGING PHENOMENA 

Conclusion: Tht production reactors all display symptoms of 
acute aging that could affect safety and are likely to limit the 
useful lives of these reactors. 

The Savannah River reactors were built in the 19508, and the 
N Reactor began operation in 1963 Both reactor types are old and 
are beginning to experience life-limiting, material aging brought 
on by irradiation and corrosion. The contractors operating the 
production reactors are well aware of these acute aging problems 
and have introduced a variety of measures to cure or mitigate 
the aging processes. Summary descriptions of the acute aging 
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problems are presented below. Further details are provided in 
Appendix D. 



Sarannah Rbrer Reactors 

Stress corrosion cracking of the stainless steel piping system 
and re. 'or tank is the most acute aging problem facing the Sa- 
vannah River reactors. To avoid corrosion of the aluminum-clad 
fuel, the Savannah River reactors operate with a deuterium ox- 
ide coolant that is mildly acidified and contains a relatively high 
level of dissolved oxygen. In this chemical environment, the reac- 
tor's high-carbon content stainless steel is susceptible to oxygen- 
induced, intergranular stress-corrosion cracking in the regions of 
weUs. The significance of cracking is that cracks may be suscepti- 
ble to unstable growth that could lead to catastrophic rupture of 
the coolant system. 

Cracks were detected in a particularly susceptible knuckle" 
region of the C-Reactor tank in 1967. Since then, the Savan- 
nah River contractor has upgraded the inspection program at the 
Savannah River reactors to detect further cracking. 

A satisfactory repair process for cracking detected in piping 
systems is simply to replace the affected piping. Repairing cracks 
in a reactor tank presents a more challenging problem. In 1968 
patches were welded over the cracks in the C-Reactor tank, but 
leaks were detected in the heat affected zones of these welds in 
1984. These leaks are probably the result of the accumulation 
of helium bubbles in the metal of the reactor tank wall, arising 
from neutron irradiation of the steel and subsequent radios :tive 
decay to yield helium. Since the welds were at locations on the 
tank that experienced low neutron fluences and, consequently, 
had relatively low accumulations of helium, welds susceptible to 
stress-corrosion cracking in other regions of the reactor tank, where 
neutron fluences and helium accumulations are higher, would be 
expected to be even less easily repairable by welding. Replacing 
the C-Reactor tank has been deemed infeasible. At the end of 
1986, in the <'>sence of effective methods to repair the cracks, the 
C Reactor was retired from service. 

The P, K, and L reactor tanks at Savannah River are also 
susceptible to stress corrosion cracking, although, to date, no such 
cracking of the tanks has been observed. The Savannah River 
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contractor has developed an operating procedure based on "detect- 
before-fracture" and "leak-before-break" philosophies. That is, 
extensive surveiUance of susceptible regions of the coolant system 
is being conducted to identify cracks or flaws. Calculations based 
on conservative applications of elastic-plastic fracture mechanics 
are conducted to determine the size beyond which growth would be 
unstable under normal operating stresses or abnormal emergency 
conditions. 

The onmnittee believes the Metect-before-fracture''/'^eak- 
before-break" operating philosophy for the Savannah River reac- 
tors 18 likely to succeed because the reactors operate at low pres- 
sure, with modest stresses on the susceptible regions even under 
abnormal conditions. (This is also the judgment of outside con- 
sultants hired by the contractor.) The contractor is handicapped 
in applymg this procedure because only visual identification of 
cracking in the vessel can now be performed. This is because of 
the unique design of the Savannah River reactors, which does not 
lend itself to the ready use of ultrasonic testing equipment that 
has been designed for use in light-water reactors. The committee 
believes that the contractor's efforts to develop ultrasonic crack 
detection methods suited to the Savannah River reactors are to 
be encouraged, as are the contractor's continued efforts to develop 
technology for repairing cracks in the reactor tanks. Without 
such repair technology, all of the Savannah River reactors may 
eventually have to be retired from service due to stress corrosion 
cracking. 



N Reactor 

Two acute aging problems beset N Reactor. Both are brought 
on by the prolonged irradiation of reactor materials over the life 
of the reactor. Radiation damage is causing the high fluence 
regions of the graphite moderator to expand. Because the expan- 
sion is nonuniform, it places stresses on the process tubes and 
the graphite cooling tubes interspersed throughout the graphite 
moderator. The fracture of four cooling tubes has been attributed 
to stresses on the tubes caused by the offsetting movement of ad- 
jacent stacks of graphite. The expansion of the graphite is also 
distorting the horizontal control rod channels and the vertical 
channels for the boron carbide ball scram system. At the same 
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time, the process tubes are being embrittled by exposure to rar 
diation. The embrittlement is augmented by zirconium hydride 
formation, which enhances stress at the locatbn of cracks, making 
the metal less fracture resistant. Gouging of the distorted pro- 
cess tubes during fuel insertion provides opportunities for crack 
formation and subsequent failure of the tubes. In sum, graphite 
expansion is placing stresses on hardware within the N-Reactor 
core at a time when irradiation-induced embrittlement is making 
the metal components that reside for long periods less able to 
withstand these stresses. 

Expansion of the graphite wUl reach a critical juncture when 
the moderator comes into contact with the reactor vault's biolog- 
ical shields. The Department of Energy has indicated that when 
this happens — and it is expected to occur sometime between 1991 
and 1996 — N Reactor will be retired. 

In the meantime, the contractor operating N Reactor is de- 
veloping a program to monitor the graphite growth and to assess 
the deterioration of the fracture toughness of the hardware in 
the core. Although the procedures that the contractor intends to 
use to monitor process-tube embrittlement seem well founded, the 
conmiittee questions whether the application of these procedures 
is sufficiently extensive. Initial plans called for the destructive, 
metallurgical and strength testing of only 4 of the 1003 process 
tubes in the N-Reactor core, and nondestructive testing of only 
about 5 percent of the tubes. There are four distinct types of 
tubes in the reactor core, resulting from the use of three different 
manufacturers and two levels of cold work on one manufacturer's 
tubes. Radiation effects on the tubes vary from location to lo- 
cation as well as varying with the method of tube manufacture. 
As a result, the initial surveillance plan was almost certainly too 
limited to yield a proper statistical representation of multivariate 
effects. Recently, indications of surface and subsurface flaws in 
N-Reactor process tubes have been found using eddy-current and 
ultrasonic techniques. This has resulted in extending the numLer 
of nondestructive examinations to 152 tubes, including complete 
examinations of all tubes in the class of tubes with the most nu- 
merous indications of flaws. Comparison of results obtained with 
nondestructive techniques to results obtained by destructive ex- 
aminations indicates that the nondestructive techniques yield low 
estiinr^£3 of the length and depth of larger flaws in the tubes. As 
a result, the contractor has decided (1) to remove any tube which 
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by tiondestructive methods is indicated to have a flaw deeper than 
0.1 inch (the process tube wall thickness is 0.275 inches), (2) use 
analyses to assess the growth rate and acceptability of flaws less 
than 0.1 inch deep, (3) remove a total of six process tubes for 
destructive examination, and(4) continue to update and improve 
nondestructive examination techniques and analysis models. 

The contractor does not now plan 100 percent nondestructive 
examination of the process tubes. The committee believes that 100 
percent examination may be worthy of consideration in light of the 
frequency of flaw 'jidications in the process tubes examined to date, 
uncertainties in the reliability of nondestructive techniques for 
indicating flaw sizes, and uncertainties in the growth and behavior 
of flaws. 

The contractor has also suggested a variety of methods both 
to ameliorate the effects of graphite expansion and to slow the 
rate at which it is occurring. The expansion rate can be slowed by 
flattening the neutron flux distribution throughout the N-Reactor 
core so that radiation damage is accumulated at a slower rate 
across a greater volume of graphite. This will, of course, involve 
changes in the neutronics of N-Reactor operation and will require 
extensive analysis (for example, of xenon oscillation effects) prior 
to implementation. The contractor is aware that flattenmg the 
flux distribution increases the power density in the outer portions 
of the core where the graphite cooling system is least effective. For 
this reason, the contractor is currently assess' ig the implications 
of the flux-flattening program for the analysis of those ^vere 
accidents that are mitigated only by effective gr^.phite cooling. 

Slowing the rate of growth of the graphit. moderator will not 
preclude a range of potential problems. Enhanced methods of in- 
service inspection of the least accessible regions of the graphite 
will be mcreasingly important in detecting any unexpected local 
distortions or graphite damage. 

The expansion of the graphite is also distorting the horizontal 
control rod channels and the vertical channels for the boron carbide 
ball scram system. The committee carefully reviewed these effects. 
The backup boron carbide ball scram system has an excellent 
margin for reliable operation in the face of the distortion of the 
channels, and the contractor has taken steps to assure that the 
functioning of the control rods is not impaired by the graphite 
distortion. 
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Sumiiiaiy 

The production reactora are old facilities and despite a variety 
of costly upgrades that have been implemented over the years, a 
number of acute problems related to their material aging cannot be 
avoided. The need to address these problems requires substantial 
allocation of contractor and DOE resources. One source of the 
current difficulties is the lack of planning in the past to provide 
for a safe, continuing production capacity. Within the coming 
decade that failure xould result in the nation having to rely upon 
a small number of aged production reactors that demonstrate 
serious safety problems, but with no other facilities ready to take 
their place to meet the nation's security needs. 

Recommendation: The remaining useful life of the four pro- 
duction reactors is likely to be equal to or shorter than the time 
needed to authorize, fund, design, and buUd new facilities to 
produce special nuclear materials, particularly in light of the 
status of the N Reactor. If the United States finds it neces- 
sary to have a reliable and safe capability for the production of 
strategic nuclear materials, then planning for new production 
reactors or other alternatives should be accelerated. 

MAINTENANCE AND PLANT MODERNIZATION 

Conclusion: The increasing needs for maintenance and plant 
modernization brought on by the aging of the production reac- 
tors are not being met by the existing programs. 

Programs of corrective and preventive maintenance at both N 
Reactor and Savannah River appear in need of comprehensive up- 
grading in order to ensure that mwitenance of the production re- 
actors is adequate. The need for improved maintenance planning, 
procedures, and systems and better crafts training of maintenance 
personnel was identified in several post-Chernobyl reviews of the 
production reactors. These recent calls for improved maintenance 
echo quite similar comments on production reactor maintenance 
made following the accident at Three Mile Island, notwithstanding 
substantial progress since then. 

Two philosophies for the maintenance of nuclear facilities are 
widely recognized, in one philosophy, maintenance is devoted to 
the repair or replacement of systems and components that have 
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failed or that have fallen in performance below some minimum 
acceptable standard. A somewhat more sophisticated applica- 
tion of this maintenance philosophy uses projection techniques to 
forecast minimal operability conditions in order to guide the main- 
tenance effort. The second, far more conservative philosophy of 
maintenance is based on continually reestablishing the safety and 
operational margins of systems and components whether or not 
these have become demonstrably defective. That is, the originad 
performance margins of the plant, rather than minimal operat* 
ing criteria, provide standards for maintenance. Because nuclear 
plants are subject to complex interactions between and among 
plant systems, and because of the ongoing evolution in nuclear 
facility safety standards, this second, more conservative philoso- 
phy is particularly suited to aged facilities such as the production 
reactors. 

Over the last several years, DOE's contractors have formu- 
lated plans for upgrading the Savannah River reactors and the 
N Reactor. All of these plans are of relatively recent vintage 
and were formulated to remedy problems that developed during a 
protracted period when little of the budget was available for main- 
tenance and modernization. The most important of these plans 
are as follows: 

1. Productivity Retention Program for N Reactor. 
Initiated in 1984, this program is to be complete in 1992. It 

involves primarily rehabilitation of pumps, valves, and boilers and 
the upgrading of obsolete instrumentation. 

2. Productivity Assurance Program for N Reactor. 

The program plan for this work, written in 1985, addresses 
extension of the useful life of N Reactor. Now part of the Ac- 
celerated Safety Enhancement Program, it consists primarily of a 
surveillanca effort to monitor aging phenomena, such as process 
tube embrittlement and graphite expansion. 

3. Savannah River Facilities Upgrade Study. 

This program was the forerunner of, and has a very similar 
thrust to, the Productivity Retention Program at N Reactor. 

4. Improved Confinement Facilities for SRP. 

This program is an effort to upgrade the confinement at the 
Savannah River reactors. The principal focus of the project is to 
enhance the noble-gas retention capability of the confinement. 

Though the stated motivation for the above plans is the 
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reestablishment of plant safety margins, it is clear that these plans 
have been formulated within the context of the first philosophy of 
maintenance — correction of demonstrably defective components. 
Funding limitations have prevented these projects from constitut- 
ing comprehensive, systematic maintenance and modernization 
programs. For example, in the case of the Savannah River re- 
actors the funding requested for the facilities upgrade initiative 
amounted to only 1 percent of the estimated replacement cost of 
the facilities. Consequently, as noted explicitly ia the plan, only 
the most urgent maintenance and upgrading needs were addressed. 
Similarly, the plan developed for the N Reactor explicitly notes 
that it addresses only systems currently experiencing failures or 
projected to degrade seriously by the mid-1990s. 

Extraordinary maintenance efforts are needed at the produc- 
tion reactors. The number of unresolved reactor incidents at the 
Savannah River reactors has been steadily increasing over time, 
as shown in Figure 2.1. In 1983, there were 130 such unresolved 
incidents and by 1986 the number had risen to over 250. The 
number of so-called recurring incidents (an incident that happens 
at a rate in excess of 8 over a two-year period) has also increased. 

One of the most striking examples of the need to modernize 
is shown by the refueling practices at N Reactor. During refuel- 
ing workers are routinely sprayed with radioactively contaminated 
water. Though the workers are equipped with protective clothing, 
the refueling procedures in use are antiquated and should have 
been discontinued years ago. Since 1983 approximately $6 million 
has been allocated for the development of remote, automated re- 
fueling equipment. Because of several false starts at engineering 
the equipment, alternative means of refueling the reactor are still 
not available. That remote, automated refueling equipment has 
not been developed and incorporated in a timely manner is symp- 
tomatic of the more general failure to modernize properly the N 
Reactor. 

Over the years the Savannah River contractor has developed 
engineering responses to a range of maintenance and moderniza- 
tion needs identified at the plant — from surveillance programs that 
respond to the discovery of cracking problems, to the development 
of computer systems for automatic backup shutdown capability. 
The committee found, however, that the process employed in de- 
signing, funding, prioritizing, and engineering these activities leads 



ERIC 



31 



300 



250 



(0 200 
z 

lU 

a 
o 

5 150 



o 
z 



100 



50 



§ Backlog of Unresolved Rt9 



4/1/87 



81 



82 



83 



84 



85 



86 



87 



YEAR 

FIGURE 2.1 Backlog of unresolved reactor incidents (RIa). Reactor inci- 
dents at Savannah River are classified by Du Pont into five categories on the 
basis of their safety significance: (A) "incidents with serious consequence" 
(none of these has occurred); (B) "incidents with signi^cant consequence 
or hasard potential"; (C) "incidents with remote haiard potential"; (D) 
•conditionally significant incidents" (which may indicate generic or recurring 
problems or design deficiencies); and (E) "incidents with no safety potential." 
The backlog of unresolved reactor incidents plotted in this graph involves 
incidents in categories B, C, and D. FVom 1981 through 1085, the distribution 
of these incidents remained approximately the same (12% Bs, 32% Cs, and 
56% Ds). 



to long delays in implementation. For instance, unwanted control 
rod motion caused by obsolete vacuum-tube amplifiers in control 
rod mechanisms is a problem that has been recognized for years, 
but remains uncorrected. More generally, the current backlog 
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of unimplem nted capital equipment projects at Savannah River 
includes some that date back more than five years, and schedules 
for completing recently proposed projects extend into the mid- 
1990s. 

In 1986 the Reactor Safety Advisory Committee for the Savan- 
nah River reactors reconunended that the backlog of maintenance 
activities be corrected before the problem became unmanageable. 
Over the first three months of 1987, extraordinary measures were 
introduced at Savannah River to reduce the maintenance back- 
log and to prevent the maintenance workload from growing faster 
than the work could be done. These efforts reduced the number of 
unresolved reaccor incidents, though the number is still in excess 
of 200. The urrent standdown of the N Reactor has been similarly 
useful in permitting completion of outstanding maintenance work 
at Hanford. 

Maintenance and modernization efforts, as described in the 
plans for N Reactor and Savannah River, ^pear to be directed 
principally at ensuring continued operation of ^he plants. Al- 
though the plans do cite public safety as one ^ tivation for the 
work, it is unclear how public risk reduction or risk aversion is 
ioctored into the setting of priorities Tor the work. Cost-benefit 
analyses of modernization efforts at N Reactor currently consider 
loss of production and lo^s of revenues from steam sales. While 
risk of the loss of oper^ tion and the risk of radiation exposure to 
workers are considered, public risk posed by a poG.iy maintained 
and modernized plant does not enter explicitly into the computa- 
tions. Public risk ought to be an explicit factor in making decisions 
about modifying the plants. 

Recommendation: Maintenance planni%g, procedure improve- 
ments, and system training should emphasize the special prob- 
lems inherent in operation of these aging reactors. DOE and its 
contractors should undertake systematic analysis of aging with 
increased emphasis on preventive maintet vxe and replace- 
mer.t of old components with new technology, where appropri- 
ate, in order to forestall in-service failures i.nd to reestablish 
the safety margins of the facilities. Avoidance or reduction 
of risk should be explicitly considered in the identification and 
prioritization of maintenance and modernization efforts. 
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POWER OPERATING LIMITS 



Sayannah River 

Conclusion: Based on preliminary analysis of the significant 
power derating that was put into effect during the course of this 
study, DOE and the contractor believe there is a reasonable 
expectation that the emergency core cooling system will prevent 
core damage in the hypothetical case of a loss- of -coolant ac- 
cident. However, the potential for and consequences of early 
core heatup caused by flow instability in the first few seconds 
of the accident remain to be explored. 

Conclusion: Adequate resources have only recently been devoted 
to developing a thoroughly documented understanding of the 
behavior of the reactors in a loss- of- coolant accident. 

In 1979 the Savannah River contractor obtained experimental 
data in an attenipt to quantify the power levels that might lead 
to dryout (loss of cooling capability in fuel assemblies) during op- 
eration of the emergency cere cooling system (ECCS). By 1981 
the contractor hsxi come to recognize that the 1979 experiments 
were suspect with regard to adequately representing certain im- 
portant physical phenomena. Between 1981 »^ ' 1986 staff of the 
Savannah River Laboratory engaged in re; j the work and 
conducting new experiments. This work esta ed that during a 
loss-of-coolant accident, dryout might occur at significantly lower 
power levels than previously believed. In late November 1986, the 
contractor notified DOE of the uncertainties associated with the 
effectiveness of the ECCS, and thereafter the allowable upper lim* 
its on operating power of the three Savannah River reactors were 
loweied by approximately 20 percent. 

In February and March of 1S87, the committee reviewed t* e 
available evidence and notified the Secretary of Energy that there 
were insufficient technical data to demonstrate that the ECCS 
performance of the Savannah River reactors could be assured, 
even at the reduced power levels (see Appendix C). Based on this 
report and subsequent reviews, the Department further reduced 
the power limits of the reactors to approximately 50 percent of th3 
original level. 

Dryout in the Savannah River reactors is controlled by counter- 
current flow limitations (CCFL) in the coolant channels. This can 
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be explained as follows. Normal coolant flow in the Savannah River 
reactor cores is downward. During a loss- 3f-coolant accident — a 
term of art that refers to a design-basis accident in which the 
largest pipe that carries cooling water is assumed to break — the 
coolant flow is reduced. For a given low rate of flow, the decay 
power level can be high enough that it leads to steam produc- 
tion that in turn can interfere with the downward flow of coolant 
through the core. The recent data indicate that the power level 
at which CCFL occurs may not be very far above the point of net 
vapor production (the point where the power is sufficient to heat 
the water to its boiling temperature). 

The problem of CCFL is complicated by the magnitude of 
boiling and condensation effects in the small coolant channels of 
the Savannah River fuel assemblies. In addition the parallel chan- 
nel configuration of the assemblies is a critical factor in .. Although 
CCFL phenomena have been studied in a variety of different set- 
tings and for both nuclear and nonnuclear applications, the ge- 
ometry of Savannah River fuel assemblies is sufficiently distinctive 
that the applicability of this past work is severely limited. 

Even the most recent experiments at Savannah River are not 
fully prototypic because the geometry of the test rig is different 
from the geometry of the full assemblies. This shortcoming has 
required the establishment of power limits that are low enough to 
prevent any bulk boiling during a loss-of-coolant accident. The 
viability of this approach is still contingent upon a quantitative 
understanding of the flow distribution among the assemblies and 
within them — that is, whether, under the conditions of interest, all 
channels receive an adequate amount of coolant from the ECCS. 

An additional complication is the need to show that smooth 
(quasistatic) emergency coolant flow will be quickly established 
following the flow instability ^nd associated boiling of the liquid 
coolant in the core within the first few seconds of a postulated 
loss-of-coolant accident. These early phenomena during a loes-of- 
coolant accident are a consaquence of depressurization of the inlet 
plenum, which causes the reactor coolant to flash t > steam within 
the fuel assemblies, leading to two-phase (liquid and gas) flow in 
the core. The two-phase flow exhibits a much larger hydraulic re- 
sistance to flow than single- phase (water) coolant. Consequently, 
subsequent flow results in flow instability, which is exacerbated by 
the flow decaying faster than the power in the first few seconds 
of the accident Here, too, parallel channel effiects that may cause 
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coolant to bypass individual channels are critical to an understand- 
ing of the reactor behavior. At present, for the Savannah River 
lo8S-of*coolant accident, there is an inadequate understanding of 
coolant boiling, heatup^ and flow dynamics. 

The Savannah River contractor has recently developed an ex- 
tensive program to modify the reactors and to improve the exper-* 
imental and calculational basis for demonstrating the adequacy 
of system response to a lo6s*of-coolant accident. The program 
includes addition of a fourth emergency cooling feed line in all 
three Savannah River reactors, modifications to the fuel and tar- 
get assemblies, and various improvements in the experimental and 
computational data base to support the analysis of loss-of-cooling 
conditions. The contractor plans to install the fourth additional 
system in the L Reactor by November 1987 and in the K and P re- 
actors by November 1988. A sununary of the contractor's program 
to restore full power operation is included in Appendix C. 

Recommendation: The Department of Energy should ensure 
that before restoring full power operation at Savannah River it 
satisfies itself, on the basis of a rigorous external review, that it 
has a thorough understanding of the behavior of the Savannah 
River reactors in a loss-of- coolant accident 



N Reactor 

Conclusion: A thorough understanding of the behavior of N 
Reactor in a major loss-of-coolant accident does not exist. Cur- 
rent understanding is based on the dated evaluations reflected 
in the Safety Analysis Report of 1976. Several past attempts 
to apply state-of-the-art tools have failed, largely because of 
numerical difficulties that are now being resolved. 

Emergency core cooling system capability associated with a 
variety of loss-of-coolant accidents was reassessed in the 1976 edi- 
tion of the N Reactor Safety Analysis Report. A slightly modified 
version of a computer code developed for application to commer- 
cial reactors (RELAP4) was used in these assessments. The most 
severe case resulted in computed fuel temperatures of approxi- 
mately 1400® F, at the time that coolant reflood (recovery of core 
flow) begins. This is only about 400® F below the temperature at 
which fuel failure would be expected. 
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Core heating in the N Reactor during a loss-of-coolant acci- 
dent is determined by a number of factors, including (1) the time 
required for depressurization (blowdown) to the pressure level at 
which the ECCS can be actuated and (2) the flow pattern of 
coolant in the core during this time. The most damaging breaks 
in the system would be expected to occur in the cold leg of the 
primary coolant loop. This is especially true for break sizes that 
result in an early flow stagnation (loss of flow because of closure 
of check valves in the cold-leg riser). In these cases, the blowdown 
time would be prolonged, and the core temperature would reach 
high levels. 

This physically intuitive view is supported by the RELAP4 
computer code results, but there is a need to reassess the cooling 
capability over a range of accident scenarios, break sizes, and 
locations. There are also some special aspects of the calculation 
that require further evaluation. 

1. The RELAP4 code is based on a simplified treatment of 
two-phase flow (homogeneous equilibrium). This may be adequate 
during the early stages of blowdown, but this approximation be- 
comes progressively inappropriate as the system empties and loses 
pressure. The impact of this inaccuracy has not been quantified 
for the N-Reactor piping system. A 1964 test has been cited ^a 
a benchmark for validation of the computer code, but the mea- 
surements of transient pressures and blowdown rates in that test 
contained large uncertainties. The value of the test as a benchmark 
is further in question because it was an adiabatic test (that is, no 
heat transfer occurred because there was no secondary coolant and 
no nuclear power in the core). 

2. The RELAP4 code, as used in these calculations, had 
additional smiplifications that are not present in more up-to-date 
computer codes. For example the whole reactor core was treated as 
a <iingle flow channel. Similar simplifications were also employed in 
representing other volumes in the system. This approach can lead 
to analytical errors in predicting conditions in localL'^d regions 
and consequently to errors in blowdown rates. Further uixcertainty 
is introduced by the use of an empirically determined discharge 
coefficient that is constant in time. The validation experiments 
performed for the RELAP codes are more applicable to commercial 
reactors than to the distinctive horizontal geometry of the N- 
Reactor core. As a result, the time-dependent parameters such as 
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ducharge coefficients may not provide a good characterization of 
N-Reactor depressurization. 

3. In many of the calculations the predicted core flow is highly 
oscillatory. It was initially thought that this result was a conse- 
quence of the particular numerical representation of check valves 
in the cold-leg riser, but more refined calculations failed to resolve 
this apparent numerical difficulty. It is unlikely that the existence 
of local numerical instabilities in the analysis would necessarily in- 
validate the entire blowdown calculation, but the difficulties may 
be based on real phenomena and should be resolved. FunHermore, 
if these calculated oscillations are only resolved through numerical 
means, unrealistically high predictions of core cooling rates may 
result. The reported results of the calculations were not suffi- 
ciently detailed to allow the conunittee to assess this aspect of the 
problem. 

4. The reported calculations did not analyze the postulated 
accident into the period of reflooding, and some calculations were 
stopped even earlier, ^parently because of numerical mstabilities. 
Preliminary attempts, using an advanced version of the same coni* 
puter code (RELAP5), also exhibited instabilities. This difficulty 
has only recently been overcome and studies are continuing. It is 
important to recognize that there are physical reasons for expect- 
ing condensation-driven flow and pressure instabiliiies to occur. 
In fact, an indication of these phenomena was observed in venturi 
meter data acquired firom the hot dump test of 1964. These insta- 
bilities must be examined even though they are difficult not only 
because of the need to develop an understanding of the overall 
hydrodynamic behavior of N Reactor, but also because they raise 
the possibility of intense water hammer events which could affect 
the structural integrity of N-Reactor pressure tubes. 

The safety analyses performed for hypothetical loss-of-coolant 
accidents in the N Reactor have focused on large break accidents 
because the contractor believes these present the most severe chal- 
lenge to the emergency core cooling and confinement systems. 
Since small-break loss-of-coolant accidents are much more likely 
to occur, it is important to assure that adequate protection is 
provided for these accidents as well. In the event of a small break 
in the reactor coolant piping, valves designed to open, which 
would depressurize the system, m effect turning small-break acci- 
dents into large-break accidents. The committee believes that spe- 
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ciai consideration should be given to small-break accidents in the 
ongoing probabilistic risk assessment (PRA) in order to evaluate 
the likelihood of multiple failures which would prevent depressur- 
ization and to estimate the potential consequences of these types 
of events. 

Recommendation: A thorough understanding of the l^havior 
of N Reactor in a major loBS-of- coolant accident should he 
urgently developed. This understanding should he hased on 
state-of-the-art a/ialytical tools, and these tools should have the 
ahility to analyze potential thermal shock and water hammer 
phenomena. The use of these tools should he accompanied hy 
rigorous quality assurance of the computer codes, as well as 
experimental validation of the results, particularly with respect 
to the distinctive horizontal geometry of the N-Reactor core. 

PROBABILISTIC RISK ASSESSMENT 

Conclusion: The risks associated vnth operation of the defense 
production reactors are currently inadequately un itrstood; ef- 
forts to evaluate those risks hy probahUistic risk assessment 
methods are still in their early stages. 

The DOE hae been slow to undertake PRAs for the production 
reactors. The committee finds this fact disturbing, in light of the 
time that has passed (12 years) since the publication of the NRC's 
Reactor Safety Study. Additionally, more than a dozen utility- 
sponsored PRAs have been completed on commercial reactors 
while the DOE and its contractors have only recently begun studies 
for DOE r3actors. The principal value of the PRA lies not in the 
calculation of bottom-line probabilities of severe accidents but in 
the acquisition of engineering insights into ways to improve plant 
safety. 

PRA studies are frequently divided into three levels of de- 
tail and completeness. Level 1 PRAs are limited to calculating 
the probabilities of accidents that involve significant fuel dam- 
age. Level 2 PRAs also include estimates of the timing, type, and 
amount of radioactive materiak released from the plant. Level 3 
PRAs include calculations of risks to public health and of economic 
consequences of radionuclide r'^lease. 
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The general methods of analysis used to perform a Level 1 
PRA ar6 independent of the type of reactor being analyzed and 
have become well developed over the past dozen years. However, 
the prediction of severe accident behavior, as required to perform 
a Level 2 PRA, involves methods of analysis that are plant-design 
dependent. As discussed in the section on severe accident analysis, 
these methods are not well advanced for the production reactors. 
Although a Uvel 2 PRA can be performed with crude methods 
of analysis, the uncertainties in the estimated risk will be large. 
Nevertheless, the results can be used as an aid to decisionmaking if 
the uncertainties are characterized and considered. The extension 
of a Level 2 PRA to a Level 3 PRA does not involve substantial 
additional effort. 

At the request of the DOE, Los Alamos National Laboratory 
is undertaking Level 1 PRAs for the production reactors at both 
sites. Preliminary results for the N Rieactor were provided to the 
committee. These studies are not sufficiently advanced to use as a 
basis for decisionmaking at this time. 

Additionally, both contractors have agreed to perform Level 3 
PRAs for their plants. Each is currently performing a Level 1 PRA 
and developing the methods for a Level 2 analysis. Because the 
development of the Level 2 methods will require substantial time 
and will delay the completion of the PRA, the ccxnmittee suggests 
that, as a parallel effort to the computer-cede based i4>proach that 
is now being pursued, Level 2 analyses shoukl be performed with 
simple physically based models. This would permit early insights 
to be obtained and would provide a physical understanding of 
the severe accident processes that must be included in the code 
analyses. 

The committee strongly supports the PRA efforts that are 
being undertaken for the production reactors. We encourage the 
completion of these studies as expeditiously as practical. The 
conmiittee also believes, however, that the quality of the PRAs 
must be high in order to aid in decisionmaking. Some aspects 
of a state-of-the-art PRA that are essential to a credible product 
include the following: 

• Independent peer review, 

• Use of site- and plant-specific data, 

• Extensive involvement of plant operators. 
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• Analysis of external accident-initiating events (e.g., earth- 
quakes), 

• Analysis of common-cause failures, and 

• Characterization of the uncertainties in the estimated risk. 

Recommendation: The Level 1 and Level 2 PRAs currently wn- 
der way for the Hanford and Savannah River reactors should 
be completed and subjected to peer review as expeditiously as 
possible. Their results should be used to evaluate plant modifi- 
cations that can reduce the assessed risks and to identify and 
evaluate research to reduce uncertainties. DOE and its con- 
tractors should recognize, however, that the principal benefits 
of the production reactor PRAs will not derive from the acci- 
dent probabilities that are calculated, but from the engineering 
insights that normally accompany the development of these 
tools on a plant-specific basis. 

SEVERE ACCroENT EVALUATION 

Conclusion: The existing level of understanding of severe ac- 
cident behavior for the production reactors is inadequate to 
permit a realistic assessment of the effectiveness of these de- 
signs in mitigating the consequences of severe accidents. 

Information on the severe accident behavior of the produc- 
tion reactors is critical. The Adm aistration and the Congress 
face important decisions about the future of the production re- 
actors which will be difficult to make in the absence of essential 
information regarding the specific risks of these plants and their 
effectiveness in mitigating severe accidents. Level 1 probabilistic 
safety studies of the plants have only recently been undertaken. 
Extending these probabilistic safety studies to an analysis of pub- 
lic health consequences (the so-called Level 3 PRA) will require a 
capability to analyze severe accident behavior. As noted, such a 
capability does not now exist. 

Severe Accident Behavior 

Improvements were made at the production reactors in operar 
tor training and control room operations as a result of the lessons 
learned from the accident at Three Mile Island. Similar improve- 
ments were made in the commercial reactor industry, but in the 
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commercial industry these improvements were complemented by 
major research efforts to understand commercial power reactors 
under hypothetical severe accident conditions. Programs to un- 
derstand hypothetical severe accidents at the production reactors 
took far longer to get organized and were on a much smaller scale. 
Prior to Chernobyl, DOE and its contractors continued to rely 
principally on design-basis accident analyses performed in the late 
19608 and early 1970s. These analyses focused on exceedmgly un- 
likely, large-break loss-of- coolant accidents which were considered 
to be "worst case" or so-called "maximum credible accidents." 
The attention given these accidents by the DOE contractors is 
similar to the attention given them by the commercial reactor 
industry prior to the introduction of more comprehensive prob- 
abilistic risk assessment techniques. As a result, the production 
reactors have been designed, constructed, and modified in order to 
cope with the events accompanying these "worst case" accidents. 
DOE and its contractors have given much less attention, however, 
to more probable accidents such as those involving small breaks 
in the coolant system or accidents involving multiple or "conmfion 
mode" equipment failures. In sum, throughout the early 1980s the 
level of understanding of severe accident phenomena for the pro- 
duction reactors remained roughly comparable to that available to 
the commercial reactor industry in 1975. 

The Chernobyl accident reinforced the principal lesson of 
Three Mile Island that accidents more severe than the design 
basis— accidents that were often considered "incredible" in the 
past— could indeed occur. Although a limited external review of 
the N Reactor in 1982 and the ongoing response to Three Mile 
Island at Savannah River in 1984 had engendered programs to 
reassess the potential for severe accidents at the production reac- 
tors, these initiatives were small in scale and low in priority. Since 
Chernobyl, these programs have been expanded and accelerated. 

The program at N Reactor is an exclusively analytical effort 
initiated in October 1986. Some program elements are to continue 
through 1989, but most of them are to be completed in 1987. 
Analyses of severe accidents are to be performed using older com- 
puter codes that were developed for the production reactors and 
with modified codes developed for analyses of commercial reactors. 
The program is to include reexamination of hydrogen generation 
and hydro5en behavior, estimation of fission-product release from 
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degrading fuel and the subsequent behavior of the fission prod- 
ucts, examination of accidents involving events other than rupture 
of main coolant pipes, and more up-to-date analyses of accidents 
considered in the N-Reactor safety aalysis report. There are, in 
addition, analytic efforts in support of ongoing probabilistic safety 
studies and analyses of reactivity transients md neutronic effects. 

The program now being planned at Savannah River is a more 
comprehensive effort. Current plans call for a program lasting 
about four years. Major elements in the plan include development 
of an integrated computer code system to model the progression 
of hypothetical severe accidents in the Savannah River reactors. 
There are also plans to develop information and data to support 
these modeling efforts, particularly in the areas of two-phase flow 
phenomena, radionuclide release and transport, energetic events 
such as hydrogen combustion, fuel-coolant interactions and inter- 
actions between core debris and concrete, reactor operability, and 
equipment response to severe accident conditions. This program 
complements an ongoing effort to upgrade the confinements at 
Savannah River. 

Although the analysis of severe reactor accidents at the pro- 
duction reactors should utilize, wherever possible, the substantial 
technology developed for commercial reactor safety studies, it is 
important to recognize that the production reactors are quite 
different from commercial reactors. As a result, the production 
reactors would be expected to behave differently under severe ac- 
cident conditions. The application of computer codes developed 
for commercial power reactors to the unique circumstances of the 
production reactors, therefore, presents major difficulties. Exper- 
imental data that reflect the unique features of the production 
reactors are necessary to validate the models and computer codes 
being used to analyze potential severe accidents but are currently 
unavailable. 

There have bean no severe accidents at the production reac- 
tors. Still, such acciaents cannot be ruled out. A 1985 review of 
the Savannah River power system, conducted at a time when con- 
struction activities then in progress affected the availability of the 
system, revealed extraordinarily high probabilities for complete 
loss of power to the reactor areas. The committee does not know 
the current reliability of the power system, but the earlier report 
is sufficiently extraordinary to raise concerns. The consequences 
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of the loss of reactor power— station blackout— is being considered 
in the contractor's PRA. 

Areas of severe accident behavior for the production reactors 
that need investigation include all the phenomena known to be 
important to an understanding of hypothetical severe accidents 
in commercial reactors. Among the critical areas that require 
examination are the foUowing: 

1. Thermal Hydraulics The behavior of coolant flows in the 
production reactors is discussed elsewhere in this chapter in con- 
nection with the discussion of limits on maximum operating power. 
Similar uncertainties in the behavior of coolant flows exist with 
respect to the more drastic conditions that would occur durmg 
severe accidents. 

2. Thermal Shock A related phenomenon of concern is ther- 
mal shock. The conmiittee believes that the po^c-^tial for brittle 
shock fracture of overheated process tubes dur^g degraded emer- 
gency core cooling injection needs to be morj thoroughly consid- 
ered for the N Reactor, especially in light of the age of many of 
these tubes and the existing uncertainties about the extent of flaws 
and cracking. 

3. Radionuclide Release Assurance that the confinement sys- 
tems of the production reactors will sufficiently mitigate the ra- 
diological consequences of a severe accident cannot be provided 
without knowing the extent and nature of radionuclide release 
from the fuel. Yet safety analyses of the production realtors have 
been based on antiquated estimates of radionuclide release that the 
little experimental data available have shown to be invalid. More 
recently, in order to accommodate the latest data on radionuclide 
release from Sa/annah River fuel, the Savannah River contractor 
has changed the mode of operation of the Savannah River reac- 
tors, placing the emergency spray systems on continuous standby. 
The conmiittee believes that while this is a useful measure, more 
thorough, integrated analyses need to be done in order to assure 
that sprays in the reactor room will sufficiently attenuate the more 
extensive radionuclide release it is now believed could take place 
if a severe accident were to occur at the Savannah River reactors. 

4. Fuel Damage Progression The evaluation of fuel melt- 
ing in a severe accident raises a number of complex questions 
relating to the progression of melting and the behavior of the 
melted material. The data bases available on melt progression 
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for the production reactors are quite iimited^ and data obtained 
for conunercial reactor fueb are wholly inapplicable. It has been 
established that uncertainties in the melt progression phase of a 
hypothetical severe accident affect predictions both of hydrogen 
generation for the N Reactor and of core debris interactions after 
expulsion from the Savannah River reactor vesseb. The predicted 
course of an accident at N Reactor would be radically altered if 
the assumptions made concerning melt interactions with process 
tubes are inaccurate. 

5. Hydrogen Generation Hydrogen generation has proven to 
be a major issue in the analysis of severe accidents in commercial 
power reactors. The principal source of hydrogen in conmiercial 
reactors (with oxide fuel) is steam oxidation of fuel cladding. In 
the production reactors not only will the cladding react with steam 
but the fuel itself will react to form hydrogen. At N Reactor, the 
graphite moderator block can also react with steam to form both 
hydrogen and carbon monoxide. Despite these many potential 
sources of hydrogen, analyses done to date for the production 
reactors have indicated that little hydrogen would be produced. 
These results have been criticized in several previous reviews of the 
N Reactor. The committee also has questions about these findings 
and believes a more definitive validation of the calculations on 
which they sire based is warranted. (See the discussion on hydrogen 
generation elsewhere in this chapter and in Appendix G.) 

6. Radionuclide Transport and Behavior in Containment The 
accident analyses performed for the production reactors have 
largely ignored radionuclide deposition within the reactor coolant 
system and have assumed about a 50 percent deposition of iodine 
within the confinement. Analyses for the N Reactor have assumed 
a very high decontamination of evolved gases by the confinement 
sprays. These assumptions have not yet been verified. By adopt- 
ing these assumptions, the contractors have obviated the need 
to analyze possible delayed revaporization of deposited radionu- 
clides that might result in the delayed release of radioactivity to 
the environment if revaporization were to occur at a time wh^n 
confinement capabilities are degraded. These are issues that have 
recently assumed some importance in the analysis of hypothetical 
severe accidents in commercial power reactors and deserve more 
thorough consideration for the production reactors. 

7. Behavior of Core Debris Once It Leaves tke Reactor Vessel 
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The uninterrupted progression of a severe accident at the Savan- 
nah River r^^actors would result in debris being expelled from the 
reactor vessel. Understanding the ensuing interactions between 
core debris and concrete has become important in safety analyses 
of commercial power reactors because of the potential for gener- 
ating combustible gas and radionuclide release. At the Savannah 
River reactors, available data do not adequately address the ques- 
tion of interactions between concrete and the unique core debris 
mass that would be expected to be formed in a severe accident. 
Potential interactions between reactor fuel and coolant once the 
fuel leaves the reactor vessel is another issue that deserves more 
refined analysis at Savannah River. These interactions migiit be 
highly energetic, if not explosive, in nature and even nonexplosive 
interactions could serve as sources of combustible gas, con£nement 
overpressurization, and radionuclide release. 

8. Confinement Loading The confinement structures sur- 
rounding the production reactors were not designed to be ro- 
bust like the containment3 surrounding commercial power reac- 
tors. The conmuttee is concerned that the production reactor 
confinements may be vulnerable to rapid pressure pulses. Such 
pressure pulses need not be shock waves such as those produced 
by combustible gas detonation or fuel-coolant inceraction. Pres- 
sure pulses of only a few pounds per square inch could result in 
rupture of the confinement filters and the direct discharge of fis- 
sion products from the plant (see the discussion on confinement 
elsewhere in this chapter). Such pressure pulses could arise as a 
result of hydrogen combustion or interactions between molten fuel 
and coolant. 



The committee believes that a substantial and time-consuming 
effort would be required to conduct a severe accident research 
program that fully responds with the necessary high degree of 
credibility to the issues enumerated above. If N Reactor is to 
be shut down in five years, or shortly thereafter, it would not 
be reasonable to undertake a significant and costly program of 
analytical modeling and experimental validation. Such a progran; 
would require three to five years to complete and thus might 
be completed too late to provide any benefit. Comprehensive 
severe accident analyses for the Savannah River reactors will be 
similarly costly and time-consuming. But, as discussed below, 
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the committee believes such a program should be undertaken at 
Savannah River without deiay. 

There is a clear need in the near term to obtain a mor^ ad- 
vanced understanding of the production reactors under hypothet* 
ical severe accident conditions. A more advanced understanding 
of severe accidents is essential to support current efforts at both 
sites to extend probabilistic risk assessments from Level 1 to Level 
3 studies and to develop meaningful descriptions of the ' iks posed 
by the production reactors. Reduction in risk is a critical factor 
m establishing priorities for upgrading the reactors. Currently a 
range of hardware changes, including the hydrogen mitigation sys- 
teiii at N Reactor and changes in the confinements of the Savannah 
River re^'ctors, have been proposed and are being implemc. :;ed. 
Superior understanding cf the physical and chemical phenomena 
that can arise in revere accidents is needed in order to ascertain 
if these modifications provide sufficient reductions in risk and to 
make sound decisions on the need for any further hardware changes 
in the reactors. 

It is not at all clear to the conmiittee that a sufficiently credi- 
ble understanding f f severe accident phenomena can be obtained 
in the near term by applying computer codes developed for com- 
mercial power reactors to the production reactors — the ^ ;>proach 
adopted for the N Reactor. It may be more useful to devise new, 
simpler models that reflect the peculiarities in the designs and 
the physical phenomena that can arise in the production reactors 
than to adapt mo^ ls developed for conmiercial nuclear reactors. 
This would at least permit a limited understanding of the poten- 
tial severe accident vulnerabilities of the reactors and provide the 
foundation for a more integrated treatment of risk, along the lines 
o the long-term program planned for the Savannah River reactors. 

Regardless of the approach adopted for analysis of severe ac- 
cidents, however, it should be recognized that the results will 
be subject to significant uncertainties. Substantial reductions in 
these uncertainties can only be achieved based on the results of 
programs of piototypic experimentation. This means that m the 
near term, in lieu of those results, lai je safety margins will have 
to be employed both in systems design and operat g limits. 

The conunittee recognizes that t\e ration 1 choico of a strat- 
egy for severe accident evaluation hinges on assumptions {ibout the 
remaining life of the production reactors. It is conceivable that a 
decision to shut dow . the existing production reactor however 
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aged they may be, could continue to be deferred by the Adminic- 
tratiou and the Congress. This raises the possibility that a decision 
to employ simplified models and to defer or eliminate a substan- 
tial program of severe accident research now could turn out io be 
shortsighted. Accordingly, decisions on reactor life and the need 
for alten ative prouuction capability should be confronted without 
delay. In this respect, the situation facing DOE at Hanford is quite 
different from the situation at Savannah River. 

Power Ebccursion Accidents 

One severe-accident scenario that requires prompt evaluation 
at Savannah River relates to the possibility of a r'inaway power 
excursion like that at Chernobyl. Severe accidents that would re- 
sult m the melting of fuel and the release of radioactive material 
would originate from an imbalance between the power generated 
in the reactor fuel and the heat removal capacity of the available 
coolant. Such an imbalance might develop either because the abil- 
ity to remove heat from • ^ surface A the fuel has been degraded 
(for example, by reduct in coolant flow or loss of coolant), or 
because too much pow. has b-en generated in the core (such 
as from inadvertently wn ig the cortrol rods from the re- 

actor). Because the Chernocy* accident involved the latter type 
of condition — a rapid insertion of positive reactivity — the com- 
mittee examined the characteristics of the production reactors to 
assure that similar reactivity accidents could not dev3lop in these 
plants. It was the development of a large, positive, re activity feed- 
back effect that made the RBMK reactor fundamentally unstable 
and was one of the n.ajor contributors to the Chernobyl accident. 
Once steam bubbles were formed in the coolant channels of the 
RBMK reactor, the interaction between higher power and more 
steam bubbles resulted in an increase in power, leading to a violent 
excursion. 

As r .ted elsewhere in the report, the production reactors 
do not have positive reactivity characteristics of this type, and 
the pviteniial for mdi a major increase in power under normal 
operatmg conditions does not appear to exist. However, in 1958 
melting experiments performed on Savannah River fuel tubes in 
the SPERT reactor in Idaho led to the identification of a potential 
mechanism by which positive reactivity insertion could occur in the 
Savannah River reactors in a severe accident. Particles released 
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from molten fuel might be carried upward into the moderator 
space in the reactor plenum after being swept from the degraded 
core, producing a positive reactivity eflfect. 

Subsequent analyses in 1979 indicated that actuation of ei- 
ther the primary scram system or the computer-controlled backup 
scram system, which injects a liquid poison into the core to control 
reactivity, would be adequate to prevent the propagation of fuel 
melting for reactivity accidents initiated by the complete blockage 
of a Savannah River fuel assembly. However, if both systems were 
to fail, melting could be induced in neighboring assemblies by the 
combined effects of increased power and flow instability. Further- 
more, calculations showed that if the blockage occurred in a target 
assembly of exceptionally high reactivity, even the operation of 
the backup system might not be adequate to prevent propagation 
of fuel failures and a potential runaway power excursion. 

In a recent DOE technical safety appraisal of the Savannah 
River reactors it was recommended that analyses be made of the 
^potential recriticality from a molten fuel mass slumping to the 
tank bottom." Although the conmiittee recognizes that the prob- 
ability of such an event may be remote, it feels that more attention 
should be given to the potential for reactivity addition in severe 
accidents at both production reactor sites. 

Reeommendation: Near- term deeUioM on changes in the de- 
sign and operation of the production reactors aimed at reducing 
severe accident vulnerabilities must rely on simple models and 
substantial safety margins. At each of the sites the Secretary 
of Energy should make a prompt and realistic assessment of 
thr length of time the existing reactors are to operate. If there 
is a significant probability that the lives of these reactors wUl 
be extended beyond the next few years, the Department of En- 
ergy should commit to a significant program of severe accident 
model development and validation. Data from the program 
should be applied in a continuing reexaMnation of the risk of 
severe accidents and a review of the design and operation of 
the plants. 

Recommendation: DOE should ensure that the ongoing PRAs 
at both sites examine the risk of accidents involving reactivity 
addition and failure to scram, paying particular attention to 
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the potential for common mode failures involving both the pri- 
mary and backup scram systems or other potential anticipated- 
transientS'Without'Scram (ATWS) type accidents. The design 
basis of the backup scram system at Savannah River should be 
reviewed against the results of the PRA analyses when they 
become available. 



CONFINEMENT SYSTEMS 

Conclusion: There are significant uncertainties in the abUities 
of production reactor confinements to mitigate radionuclide 
releases that would be expected to occur during severe accidents. 

Production reactors ditfer from U.S. commercial nuclear power 
plants 'n that they use confinement systems rather than reactor 
containments as barriers to the release of radionuclides. A reactor 
containment is designed to retain both gaseous and particulate 
radionuclides within a nearly leak-tight volume. Release of both 
gaseous and particulate radionuclides would be possible, however, 
if the containment volume were breached during an accident. Con- 
finement systems, by contrast, are designed to control the flow of 
effuents produced during reactor accidents at substantially lower 
pressures so that these effluents would pass from the system along 
prescribed pathways that are equipped to attenuate the release 
of the more noxious radionuclides. If the system were to operate 
as designed in the event of an accident, it would allow the re- 
lease of some gaseous radionuclides — such as xenon, krypton, and 
tritium— but would prevent catastrophic confinement failure and 
the unattenuated release of other radionuclides. 

There is no compelling evidence that mere adoption of the 
containment concei;t would substantially improve the safety of 
the production reactors. The committee concludes that in theory 
the confinement approach ".an be an acceptable means for mitigat* 
ing accidents. The conunittee has some difficulty, however, with 
the way the confinement concept has been implemented at the 
production reactors. Two issues are of immediate concern: 

• The ability of mitigation systems (i.e., filters and sprays) 
to perform adequately during severe accidents, including the ca- 
pability of the confinement filters to withstand loads developed 
during severe accidents; and 
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9^ The incompatibility of the confinement philosophy with 
the discharge of liquid effluents, especially following an accident. 

A summary descri^^ "^ion of the first concern is presented be- 
low. More detailed discussions are to be found in Appendix B. 
The issues arising from the discharge of liquid effluents from the 
production reactors are discussed elsewhere in this chapter and in 
Appendix E. 

At the Savannah River and N reactors, mitigation of radionu- 
clide releases during accidents is provided by filtration systems 
composed of the following components: 

• Demisters, 

• High-efficiency-air-particle (HEPA) filters, and 

• Charcoal beds to absorb iodine. 

These systems have been designed based on calculations of the 
release of radionuclides from degrading reactor fuel. (The calcular 
tions were not mechanistic; that is, they do not include desci iptions 
of the actual mechanism of radionuclide release.) 

Research performed in connection with commercial nuclear 
power plants, as well as recent studies of radionuclide release from 
the Savannah River reactor fuel, show that the source term as- 
sumed in the design of the confinement system may be greatly 
underestimated. For example, there may be greater releases of 
radionuclides In the form of aerosol particles and this greater mass 
of aer^^l particulate is not ar unted for in the calculations. Fur- 
ther.nore, the design of the confinements may not acconunodate 
the icjge quantities of nonradioactive aerosol particles that might 
be produced in an accident. The filters used in the production 
reactor confinement systems are efficient at trapping radioactive 
particles, but they are quite limited in the total amount of partic- 
ulates they can trap. If challenged in a severe accident by large 
quantities of particles — quantities far in excess of the filter-design 
capacity — the filters could overload and rupture, leading to unat- 
tenuated escape of radionuclides subsequently released from the 
fuel. 

In addition, the pressure drop that can be withstood by the 
filter systems is not l&rge- ^ibout 0.5 psig. Thus, the filters can- 
not be counted on to do their job unless the contractors' accident 
analyses demonstrate that there would be no precsure pulses suf- 
ficient to rupture the filter systems. Such analyses have not been 
completed. (In this connection, see the discussion of hydrogen 
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generation and mitigation elsewhere ia this chapter and Appendix 
G) 

Fog sprays are used in the N-Reactor confinement to augment 
the attenuation of radionuclide releases from the plant should 
there be an accident. The contractors' analyses suggest that more 
than 98 percent of the aerosol suspended in the confinement at- 
mosphere after an accident would be trapped by these sprays and 
would not reach the filter system. These analyses assume large 
aerosol particle sizes (5 and 15 /im). Particles this large would 
be entrapped by spray droplets, whereas smaller aerosol parti- 
cles would be inefficiently captured. The analyses are also based 
on single-compartment, contained experiments rather than on the 
more realistic multicompartment, "once-through" flow system of 
the N'Reactor confinement, with nonuniform spray coverage. The 
committee is sware of no demonstration that under realistic acci- 
dent conditions the spray system would be as efficient as assumed 
in the N-Reactor safety analysis. 

A fundamental assumption of the N-Reactor confinement sys- 
tem desiga philcsop by is that, after an accident, release of radioac- 
tivity from the fuel occurs only after the depressurization of the 
reactor coolant system has been completed. Gases released to ^he 
confinement during renctot coolant system depressurization would 
be vented to the environment without filtration. Once depressur- 
ization had occurred, flow from the confinement would be filtered. 
Clearly, such a system is only effective m attenuating releases of 
radioactive materials to the environment if the initial depressur- 
ization is in fact completed before radioactive materials enter the 
system. Within the context of a J^evel 2 or Level 3 probabilistic 
risk assessment, a spectrum of severe accident sequences should be 
examined to determine whether :here are scenarios in which acci- 
dent timing could permit a significant unfiltered release to occur 
during initial depressurization. One such scenario might mvolve 
fuel melting while the reactor coolant system is still pressurized so 
that radioactive materials are released before the confinement sys- 
tem has been vented. Further preventive actions will be necessary 
if the likelihood of these scenarios is found to be substantial. 

Recommendation: The Department of Energy should demon- 
strate whether the confinement systems at the production re- 
actors have the capabilities (1) to withstand realistic accident 
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loads, and (2) to pro^de acceptable atten'4ation of realistic 
radionuclide releaaes in the event of a severe accident. 

HYDROGEN GENERATION AND MITIGATION 
N Reactor 

Conclusion: A concept for hydrogen mitigation has been devel- 
oped for the N Reactor thct involves forced mixing to prevent 
deflagrable hydrogen concentrations from developing, monitor- 
ing of hydrogen concentratiotu at key points within the con- 
finement, and exhausting and inerting the confinement atmo- 
sphere. The committee's overall assessment of the approach 
is favorable. However, there are aspects of the underlying 
analyses and potential limitations of the proposed system that 
deserve careful evaluation. 

The Department of Energy plans to install a hydrogen mitigation 
system in N Reactor by December 1987. This mitigation system 
will be based on several analyses currently under way. In >pril 
1987, DOE asked the committee to review the Department's ^lans 
for providing additional hydrogen mitigation c^>abilities at N Re- 
actor and to provide comments on the Department's approach to 
the hydrogen mitigation issue. The committee has responded to 
this request in a separate letter report to the Secretary of Energy 
that is reprinted in full in Appendix G and excerpted here: 

''The protection of the public in the event of a severe accident 
at the N Reactor depends on ^maintaining the integrity of the 
reactor's confinement system — the safety system that is designed 
to attenuate the release of fission products in the event of an 
accident. Because the confinement has not been designed for — 
and is unlikely to be able to withstand— hydrogen bums of any 
significant size, it is important that combustible concentrations 
of hydrogen be prevented within the confinement, except in very 
localized areas near the hydrogen source. 

''In order to evaluate this issue, the contractor for the facility 
has conducted a series of analyses in which certain defined releases 
of hydrogen \sere assumed to occur in a number of locations within 
the confinement. The results of the^e analyses indicated to the 
contractor that, for the assuined rate and quantity of nydrogen 
released, then* are only two locations m the OHifinement where 
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combustible limits could be achieved — the pipe-barrier space and 
the pressurizer-penthouse area. In other areas of the building, the 
contractor predicted that mixing would be sufficient to prevent a 
flammable concentration from being reached. 

"The contractor further concluded that even if a burn were 
initiated in the pipe-barrier space, the increase m pressure would 
be dissipated in the larger volume of the confinement building 
and the confinement function would not be defeated. In order to 
mitigate the potential problem in the penthouse and to provide 
additional protection from the release of hydrogen in a severe 
accident, the contractor has developed a concept for a hydrogen 
mitigation system. The proposed concept is intended to satisfy 
four basic functional requirements: 

• Provide adequate mixing between subcompartments of the 
building to assure that burnable concentrations of hydrogen do 
not accumulate. 

• Monitor hydrogen concentrations at various locations with- 
in the building. 

• Fill the confinement with inert gas after the initial release 
of steam to assure that burnable composHions are precluded in 
the long term. 

• Provide an exhaust system to displace air to support the 
inerting function and to establish a lower pressure in the building 
than outside the building, thus preventing outleakage through the 
walls and bypass of the filter system. 

"The first function is to prevent burnable concentrations of 
hydrogen. The second function provides information to plant staff 
that could be useful for identifying and mitigating severe accident 
situations. The latter two functional requirements could be just 
as important in that, if properly implemented, they could provide 
a margin of protection in the event that releases of hydrogen are 
greater than the assumed hydrogen source. 

"The contractor considered alternative approaches co hydro- 
gen mitigation. Preinerting and distributed ignition systems, 
which aie methods for hydrogen control used in commercial re- 
actors, were found not to be appropriate for the N-Reactor con- 
finement system. The initial venting of the building atmosphere 
that occurs in the proper operation of the confinement system 
would defeat any preinerting system, and the confinement might 
not be able to withstand pressure pulses that could occur with 
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a distributed ignition system, particularly for accidents involving 
large releases of hydrogen. This latter conclusion is consistent 
with the observation of pressure rises of many pounds per square 
inch in tests of ignition systems performed by the Electric Power 
Research Institute in a large-scale facility at the Nevada Test Site. 
Within the bounds of reasonable cost, there is no apparent pre- 
ferred alternative to the concept proposed by the contractor. 

^The committee's overall assessment of the general approach 
to hydrogen mitigation is favorable. In indicating its agreement 
with the general approach to hydrogen mitigation at N Reactor, 
the conmiittee is not rendering a judgment as to the adequacy of 
the proposed system. Any judgment as to the adequacy of the 
system must be guided not only by an assessment of the general 
approach, but also by careful analyses of the system under various 
hypothetical accident scenarios, evaluation of a detailed design, 
and construction and operation in compliance with appropriate 
safety standards. Because the analysis is only at a preliminary 
stage, the conmuttee'e review addresses only the first of these 
necessary factors. 

^The basic strategy of forced nnixing to remove the potential 
for hydrogen pockets, monitoring of hydrogen at key points within 
the confinement, and the activation of an inerting/exhaust func- 
tion appears to be sound. Indeed, the approach may provide a 
margin to acconmiodate some uncertainty relating to the amount 
of hydrogen generated in an accident. However, as discussed fur- 
ther below, there are aspects of the underlying analyses and certedn 
potential limitations of the proposed system that deserve further 
careful evaluation. 

^The principal aspects of the approach that merit further 
study or improvement may be briefly summarized as follows: 

• The system design is premised on a specific accident sce- 
nario. In the committee's view, the predicted performance of the 
mixing and inerting systems should be examined for a broader 
spectrum of accident scenarios and release rates for hydrogen. 
For example, the assumption of the continuing operability of the 
Graphite and Shield Cooling System (GSCS) in the event of an 
accident needs a thorough examination, particularly m terms of 
any possible degradation of the GSCS in an accident. 

• In the course of examining a broader spectrum of accident 
scenarios and hydrogen release ro.Les, the contractor should extend 
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the mixing calculations to address localized mixing and combus- 
tion. In addition, the contractor should examine the geometric 
configurations near possible release points in order to assure that 
localized concentrations of hydrogen do not permit local detona- 
tion that could challenge the confinement or other safety systems. 

• The capability of the filter system to withstand the loading 
of aerosols in an accident should be reviewed, and if necessary, the 
capability of the system should be upgraded. 

• The survivability of vital sensors and mitigation equipment 
shoulc' be assessed. The equipment must be capable of operating 
in severe-accident environments characterized by wide variations 
in thermal-hydraulic, radioactive, and inert aerosol loads, and high 
radiation fields. 

• The increased discharge of radioactive noble gases to the 
environment in the event of an accident, because of the operation 
of the forced exhaust system, should be examined. While oper- 
ation of the proposed hydrogen mitigation system is expected to 
decrease the risk of failure of the confinement due to detonation 
or deflagration in an accident, and thus to decrease the risk of 
catastrophic radiation release, the exhaust of radioactive noble 
gases would also result in potential increases in whole-body doses 
to persons outside the plant. Thus, means should be investigated 
to assure satisfaction of the dose limits of 10 CFR 100 without 
relaxing the speed with which inerting takes place. Such an in- 
vestigation should take into account recent research that shows 
that the actual quantity and chemical form of the fission products 
released in a severe accident would be quite different from the 
source terms commonly assumed in such analyses in the past." 

Recommendation: The committee has recommended that its 
concerns be addressed in the development of a detailed design to 
implement the proposed approach to hydrogen mitigation. The 
detailed design should be subjected to an independent review 
before adoptior.. 

Savannah River 

Conclusion: The improved confinement system currently un- 
der development at Savannah River may cause a buildup of 
hydrogen in the event of a severe accident. 

Plans are under development at the Savannah River reactors 
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for an improved confinement system that would be capable of 
trapping noble gases and tritium during a severe accident. The 
committee is concerned that the overall risk of the Savannah River 
reactors could be inadvertently increased by some of the changes 
required to make the improved confinement system operate. With 
the existing system, the rate of airflow from the reactor room would 
be so high that the rate of hydrogen production during an accident 
would have to be very large to permit hydrogen concentrations 
that would reach flanunable limits that could damage confinement. 
With the improved confinement system, however, most of the air 
would be recirculated and only a small flow, 2000 cfm, would be 
exhausted through the filter system to the environment. While 
this increases the ability of the confinement to retain noble gases 
and tritium, it also means that the system would permit hydrogen 
concentrations in confinement that would be substsoitially higher 
than those allowed in the current configuration. 

The trade-oS" between mitigation of noble gas and tritium 
release and increasing the likelihood of a hydrogen combustion 
event that could disable the filter system must be weighed very 
carefully. 

Recommendation: The proposed improved confinement system 
at Savannah River should be reviewed to evaluate the potential 
benefits and added risks of the proposed system, particularly 
with respect to the enhanced possibility of hydrogen-combustion 
events. 

CERMET FUEL 

Conclusion: The cermet fuel being coui^idered by the Savan- 
nah River contractor may be susceptible lo exothermic reaction 
under accident conditions. The contractor is currently inves- 
tigating the composition and behavior of the fuel to determine 
whether such a reaction is precluded by reconstitution of the 
fuel during the manufacturing process. 

Over the last several years, the Savannah River contrau:tor has 
been developing a ceramic-metal composite (or cermet) fuel (UsOs 
particles dispersed in an aluminum matrix), as an alternative to 
the current fuel, which consists of a uranium-aluminum alloy clad 
in aluminum. The committee is concerned that this type of fuel 
could undergo an exothermic chemical reaction during a severe 
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accident. By a reaction analogous to the thermite reaction (a re- 
action between iron oxide and aluminum in a powdered mixture 
that is used to produce an intense heat source), significant en- 
ergy release can result from the oxidation of aluminum and the 
corresponding reduction of UaOs: 



(4/3)AI + UaOg ^ 3 UO2 + (2/3)Al203 

(exoergic by about 225 calories per gram of UaOs reacted). Ob- 
viously, any fuel that is susceptible to this type of reaction poses 
special accident risks. 

The contractor is conducting analyses to determine wh ther 
chemical alteration of the U3O5 takes place during manufc^cture 
that will substantially reduce heat generation by the metallother- 
mic reaction. If substantial edteration in the composition of the fuel 
does not occur and the reaction were to ignite locally, it is possible 
that the reaction could propagate. Although there is some basis 
for believing that the reaction would not ignite at the melting tem- 
perature of aluminum (the range of ignition temperature is 1150 
to 1273 K in comparison wiirli the aluminum melting temperature 
of 933 K), it is not clear whether fission-product contaminants 
in the irradiated iv^l might reduce the ignition threshold. Fur- 
thermore, it cannot be assumed that the maximum (pre-thermite 
reaction) temperature that would occur in a severe accident would 
be limited to the melting temperature of the aluminum matrix. 

The contractor is investigating the susceptibility of the fuel 
to ignition. In experiments with fuel to date, low-temperature 
initiation of the reaction has not been found. However, some 
evidence of a low-temperature surface reaction of aluminum with 
sodium uranates has been found. Continued investigations of the 
thermal behavior of the cermet fuel are under way. 

A more complete discussion of the issues aissociated with use 
of cermet fuel is provided in Appendix F. 

Recommendation: The Savannah River contractor should dem- 
onstrate that the U^Oi in cermet fuels currently under develop- 
ment ts sufficiently reduced during the manufacturing process 
to preclude significant metallothermic reaction in a reactor 
accident, or this approach should be dropped. 
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HUMAN PERFORMANCE 

Conclusion: Recent programa appear to have been effective in 
improving operator training and procedures at the production 
reactors. However, other activities, such as the recording and 
analysis of trends in human performance and the application 
of computers to reactor operation, appear to need further up- 
grading. 

The accidents at Chernobyl and Three Mile Island might have 
been avoided but for a series of operator and management errors — 
errors of both commission and omission. The committee assessed 
operator training and performance at the production reactors in 
terms of five general requirements: 

• Correct, clear, concise, comprehensive, and well-written 
operating and emergency procedures; 

• Rigorous training and retraining to ensure the operating 
staff is qualified, including state-of-the-art training equipment, 
control room simulators, and procedures that develop diagnostic 
ability; 

• Close adherence to approved procedures but clear direction 
of how to proceed if a procedure seems incorrect or inadequate; 

• Rigorous control of all actions that could deactivate safety 
equipment or safety functions; and 

• Correct, clear, and easily understandable instrumentation, 
controls, and information aids in the control room. 

Operating and Emergency Procedures 

On the whole, the operating procedures used at the production 
reactors appear to be well written and understandable, although 
there have been isolated instances in the last year in which certadn 
procedures «vere determined to be in need of improvement or were 
not being followed. Such incidents, although very undesirable, 
do occur at all reactors. The commercial industry established 
the Institute of Nuclear Power Operations (INPO), in part, to 
define benchmarks of excellence in reactor operations, including 
those related to the use of operating and emergency procedures. 
Although the production reactor contractors have limited access to 
INPO, they have been successful in establishing some interaction 
with INPO in this area. 
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There are basic differences in the use of formal procedures 
at the two sites. At Savannah River, operators are expected to 
follow explicit procedures for essentially every step of the opera- 
tion. At N Reactor, procedures are used for proper handling and 
switchover of equipment, but routine operation is based largely 
upon operator understanding of plant behavior. This difference is 
reflected in fundamentally different approaches to training at the 
two sites. Savannah River has developed procedurally oriented 
computerized diagnostic aids for its operators for both training 
and operation, whereas N Reactor relies more on in-depth class- 
room, homework, and simulator training aimed at strengthening 
the operator's ability to understand and diagnose plant behavior. 
It is not clear which of the two styles is superior; both contractors 
would probably benefit from analysis and incorporation of aspects 
of the other's approach. 

With regard to emergency or abnormal event procedures and 
training, both sites use procedures that are based on an identifica- 
tior of the causes of observed deviations from normal operation. 
Nt.uher site currently has an exclusive set of general procedures 
geared toward controlling critical safety functions in an accident. 
Such procedures, which are common in the commercial indus- 
try, are often called "symptom-based" procedures and are used 
to maintain safety conditions during an incident independent of 
whether or not the incident has been correctly identified. State- 
of-the-art symptom-based procedures at commercial reactors also 
provide guidance for responding to more severe accident condi- 
tions. Work is under way to develop symptom-based procedures 
at the production sites and to develop training appropriate to their 
use. Both contractors would benefit by reviewing the symptom- 
based approach taken by the commercial industry. 

Training 

IVaining and qualification of operators have been intensively 
examined at both sites since the accident at Three Mile Island. 
In addition, the two contractors have increased their interaction 
with external groups with expertise in operator training. The N- 
Reactor contractor has expanded contacts with INPO, the Region 
4 Interoperating Utility Committee, and two programs run by the 
DOE Office of Nuclear Safety — the Training Coordination Pro- 
grams and the Training Resource and Data Exchange (TRADE). 
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The Savannak River contractor 1 < been actively \ ir^icipat- 
ing in TRADE has attemp to foster closer ties to INPO, 
and last year sent two engineers to an INPO training course on 
human performance evaluation. 

TVsdning simulators that replicate t^ie actual control rooms in 
the plants have recently been installed at both sites. Although 
they do not simulate severe accident conditions, the simi .^itors 
offer a wide range of control room response? for operator waining. 
Reprogranmiing of the simulators would be required to provide 
simulation of severe accidents, and this improvement should be 
undertaken. 

The production reactor simulators have proven to be valuable 
for functions other than training. In the course of usin^ the simu* 
Ihhor at N Reactor, for example, the co!:cractor recently discovered 
that me timing circuitry foi" the confin nent vent vul/es had beer 
improperly designed and would not have functioned appropriately 
in certain accident scenarios. The ners bave since been rowiiad 
and the problem resolved. 

Earlier in the chapter, the conmiittee reconmiended thht prob- 
abilistic risk assessments be completed as expeditiou.ily as possible. 
Such PilAs can also play an important role in operator training 
to respond to severe accidents, as they have ./eady done in the 
commercial industry. The PRAs can serve as models of the plants. 
H operators are familiar with the PRA, ^hey will be in a better 
position to understand the plant's response to initiating events 
and possibls ^.ccident progressions. 



The committee found reasonable adherence to procedures at 
the production reactors, comparable to what one would expect 
to find at a typical comr ercial reactor. However, there is a need 
at both sites for more in-depth analysis of the underlying causes 
ot reactor incidents, as previous reviewers have noted. Incident 
reports are uot currently written in a way that permits a clear 
determination of the specific actions taken by plant personnel and 
how those actions might relate to what occurred. Part of the dif- 
ficulty appears to lie in the understandable reluctance of incident 
report writers to criticize their colleagues and supervisors openly. 
The Savannah River contr ctor has tried to overcome the problem 
by usin^ a reactor operations review committee as a ^orum for 
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exploring incidenU in greater depth, examining their causes, and 
identifying better ineans of preventing their recurrence. Clearly, 
unless the causes of incidents are properly identified, there is little 
hope of establishing meaningful trends in human performance. 

Safety System Bypasses 

The manipulation of safety system instrumentation appears 
to be strictly controlled at the production reactors. Special in- 
terlocks and detailed procedures have been developed to prevent 
any unauthorized bypassing of safety systems such as occurred at 
Chernobyl. In fact, the Savannah River contractor reviewed the 
Chernobyl sequence of events with operators to underscore the 
important 9 of closely following procedures when safety systems 
must y ..J passed. 

Compnterised Systems 

A process computer system is used at Savannah River to 
control routine reactor operations. It is analogous to an autopilot 
in an airplane in that it cannot be used during startup or shutdown 
and its at normal operating power levels is optional. Ic is 
on important system at Savannah River because of the tendency 
toward xenon osciPacions ir large h^&vy-water moderated reactor^. 

One lessen from the Three Mile Island accident was the need 
to improve the human factors aspects — the interface between op- 
erators and equipment — of nuclecr reactor control rooms. In re- 
si*onse to this n'^ed, th Savfinnah River contractor has dev^eloped 
a computerized diagnostic aid known as the Diagnosis of Mul- 
tiple ;iarms (DMA). The DMA system iz not a type of Safety 
Parameter Display System (SPDS) like those installed in commer- 
c^^' reactors after the Three Mile bland accident. Rdther, it is 
a c >mputerized system that employs a specific se^ of truth tables 
to identify and priontize the operating procedures that should 
be used by the operators in response to deviations from normal 
operation. 

The purpose of the DMA system is to perform in a short 
time the analysis that operators would ot wise have to perform 
during an emergency, at a time when numerous alarms ^ave been 
activated in the control room. In such a situation, the operators 
might have too much information to select the proper response. 
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The DMA system selects the appropriate procedures and lists 
the order in which they should be implemented. As with the 
simulator at N Reactor, development of the DMA system has 
led to unanticipated results. A number of errors in logic in the 
existing Savannah River procedures were discovered during the 
development of the DMA system. 

Implementation of suggestions from the post-Three Mile Is- 
land reviews also resulted in improvements to the N-Reactor con- 
trol room. Unused switches were removed from control panels 
and the control room alarm was replaced. The conmiittee has 
been advised that a more recent review of the control room has 
been conducted and that an evaluation is in progress to determine 
whether additional changes are needed. 

The current trend in production reactor operations is toward 
greater control of plant equipment using digital systems. This 
appears to be occurrirg, however, with very little oversight from 
DOE. It is important to recognize that while computerized sys- 
tems may reduce the likelihood of certain kinds of human error, 
they io not eliminate error; computerization merely shifts the bur- 
den of performance from one human activity to those specifically 
related to the use of computers, such as software engineering. The 
Savannah River reactors, for instance, have computer control sys- 
tems governing the operation of their "charge-discharge" machines 
(which are used to remotely insert and remove fuel and target as- 
semblies from the reactors). Although the machines have been 
operated successfully .:rough many charge-discharge operations, 
there have been a number of recent incidents involving breakdowns 
of one kind or another. The contractor plans to replace the existing 
charge-discharge system computer with a newer, larger memory 
system, but the kinds of incidents that have occurred reflect tLe 
more general need for better software reliability. 

It should be noted that the recent DOE Design Review rec- 
ommended replacing the contractor's software quality assurance 
programs with a more rigorous, mandatory program. Such a pro- 
gram has been initiated by the contractor in the current fiscal 
year. The program elements incmde code configuration control, 
documentation requirements, coding practices, validation and ver- 
ification, and assignment of rebponsibilities. At the planned level 
of effort, it will take the contractor four years to work through 
the current backlog of codes. In the same report DOE also recom- 
mended maintaining on a continuous basis a coterie of qualified 
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personnel who could serve as backup to contractor staff qualified 
to work on the reactcr control and safety computer software. Since 
this second pro|{ram is run by the plant and the program discussed 
above is run by the laboratory, the Department should ensure that 
both plant and laboratory software reliability programs meet the 
same high standards. 

N Reactor has experienced similar problematic behavior from 
its computerized systems, and in particular the controls govern- 
ing the plant's secondary system (the byproduct steam system). 
Causes of these problems include misalignment of components 
within the control machinery and poor software. In response, the 
contractor has recently adopted stricter rules governing software 
changes. 

Very high reliability is required for the software that is used 
in the design of the core loading for each cycle at Savannah River. 
Since each core composition is different, a detailed reactor physics 
analysis must be performed prior to loading the fuel and target 
assemblies. Thus, many opportunities are presented for errors to 
occur which could lead to severe consequences, such as inadvertent 
criticality during loading or melting of an assembly. Tu9 commit- 
tee believes that th-^ adequacy of the existing quality assurance 
procedures to control the frequency of core c<xifiguration design 
errors shou^ 1 be examined from a probabilistic viewpoint in the 
ongoing PRa. 

Recommendation: The DOE eontraetora shoidd expedite the 
development and incorporation of procedures and training 
alrned at restoring critical safety functions and controlling 
critical safety parameters in the event of abnormal conditions. 

Recommendation: More thorough analyses of the causes of re- 
actor incidents should be conducted in order to improve human 
jferjOi manct. 

Recommendation: Better methods for analyzing trends in An- 
man performance should be developed. 

Recommendation: The management of software engineering 
activities should be reviewed and improved. DOE should spon- 
sor an independent leview of computerized systems at both 
sites to ensure that the systems are fault-tolerant 
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LIQUID EFFLUENTS 

Conclusion: Discharge of radionucUdc'Contaminated liquids 
from the production reactor confinements into open basins, as 
occurs during normal operation of the N Reactor and as could 
occur during c :cidents at both sites, poses a safety hazard. It 
is also an environmentally unsound practice. 

In the event of a severe accident at the Savannah River reac- 
tors or the N Reactor, radionuclide-contaniinated liquid effluents 
would be discharged from the plant. At Savannah River, the 
discharge would be first to a 60,000-gaUon tank and then to a 
500,000-gallon tank, both of which are vented back i. to the reac- 
tor confinement. Overflow from the tanks, however, would be to 
an opf n, 50,000,000-gallon basin. Flow to thr^ 500,000-gaUon tank 
in an accident could be as high as 14,0C0 gallons per minute, so 
overflow into the open basin could occur in as httle as one hour. 

Discharge of liquid effluents at N Reactor both under normal 
operating conditions and c*iring an accident is to a 6,300,000- 
gailon unlined pit or 'crib." The liquids drain into the groimd 
below the pit alk>wing the possibility of eventual contamination 
of the groundwater and the introduction of elevated levels of ra- 
dionuclides into the Columbia River. Contamination of the liquid 
effluents from N Reactor during an accident would be especially 
severe since substantial attenuation of airborne radionuclides from 
the re«.^tor is achieved with water sprays and the contaminated 
spray water would be discharged to the ''crib." Congress is cur- 
rently considering a line item in the FY 1988 defense authorization 
bill that would provide monies to build a Waste Effluent TVeatment 
Facility for the N Reactor. 

In the past, discharges to the ''crib" during normal oper- 
ation of the N Reactor have averaged about 1330 gallons per 
minute. These discharges amounted to releases of about 6000 
curies per year of radioactivity with half-lives greater than 48 
hours — primarily radioactive isotopes of cobalt and strontium. 
Discharge of these contaminated liquids from the N Reactor is 
clearly an environmentally unsound practice and has been criti- 
cized as such in previous safety reviews. Indeed, only a waiver of 
a currently efiective Department Order has allowed the practice 
to continue. During the current standdown of the reactor, the 
contractor has made modifications that are expected to reduce 
the discharges during normal operation to about 505 gallons per 
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minute and about 4100 curies per year. The contractor is now 
working on a filtration system that would further reduce the rar 
dioactivity of the discharges to about 1900 curies per year and has 
proposed installation of an ion exchange system, which has not yet 
been funded, that would reduce the discharge to about 50 curies 
per year. 

Under accident conditions, the discharge of radionuclide- 
contaminated liquids from the producticm reactors violates the 
confinement concept of defense-in-depth against radionuclide re- 
lease and constitutes a safety hazard. The hazard under accident 
conditions is not merely eventual contamination of groundwater. 
Rather, it is that radionuclides — especi&lly iodine — can vaporize 
from the discharged liquids. Those radionuclides that vaporize 
from the liquid eflSuents would be released to the environment 
and would thus have bypassed the protection that ib meant to be 
provided by the confinement system. 

Consideration of iodine vaporization from water pools has 
been included for some time in the analysis ci reactor accidents at 
commercial nuclear power plants. (A detailed technical discussion 
of the chemical processes involved in iodine vaporization is pro- 
vided in Appendix E.) Vaporization can occur because molecular 
iodine can be formed in water by oxidation of iodide ions: 

2 r + 2 H+ + (1/2)03 h (aqueous) + H2O. 

Though some hydrolysis of the iodide to HOI occurs, further 
oxidation to iodate, 10 J, is kinetically slow. Consequently, the 
dissolved molecular iodine can vaporize: 

I2 (aqueous) ^ I2 (gas) 

and the vapors can be carried away by ambient air currents. The 
extent to which molecular iodine will be formed depends on the 
water temperature, hydrogen ion concentration, total iodine con- 
centration in the liquid, and time. There is evidence that the ra- 
diation field produced by the dissolved radionuclides can enhance 
the vaporization of iodine frcxn water pools. Thus, accidents at 
the production reactors could lead to significant airborne releases 
of radioactive iodine, yet these releases have apparently not been 
properly considered in accident analyses for the plants. 

In addition, iodine is quite reactive, especially in a radiation 
field. In particular, iodine in aqueous media will react with many 
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organic materials, including plastics, to form CHal, which will 
vaporize from the water. Plans to upgrade basins at the N Reactor 
by lining and covering tbem with polyethylene sheets may be 
frustrated by the reactive nature of iodine in intense radiation 
environments. 

Reeommendation: The Dtpartment of Energy should estab- 
lish ways to protect the environment from the radionuclide* 
contaminated liquid effluenti discharged during normal oper- 
aiion of the N Reactor. Means should also be found at both 
Hanford and Savannah River to prevent the direct discharge of 
contaminated liquid effluents to the environment following an 
accident. 



Conclusion: Emergency planning and response capabilities at 
the Department of Energy's production reactor sites appear to 
be comparable in terms of onsite preparedness to those at com- 
mercial reactor f acuities. Off site planning and preparedness, 
however, do not appear to be on a par with those of localities 
surrounding a commercial reactor. 

The nuclear accident at Chernobyl mvolved the prolonged and 
extensive dispersion of large quantities of radioactive materials 
throughout the environment. Aspects of the response by Soviet 
authorities to the accident appear to have been unprecedented. To 
date, the measures taken by tuc Soviets to respond to the accident 
have not been thoroughly assessed in order to determine whether 
there are any lessons that can be learned that would impnne 
emergency preparedness in the Unitei: States. 

There are aspects of emergency prepa^-edness .it Hanford and 
Savannah River that are significantly stronger than at most com- 
merci«J U.S. nuclear power plants. First, the size of the sites and 
low population density around them significantly ease the diffi- 
culty of providing effective planning and response. Although there 
are large numbers of onsite workers at each site, they are gen- 
erally clustered in a few locations snd should be relatively easy 
to protect in the event of an emergency. Second, the large num- 
bers of facilities and contractor organizations located at the sites 
make available extens^ resources (for example, knowledgeable 
staff and equipment for radiation monitoring and meteorological 



EMERGENCY PLANNING 




67 



assesi^ment) that could be marshalled in the event of an accident. 
Both sites also indirectly benefit from proximity to commercial 
nuclear reactor facilities that have their own emergency prepared- 
ness activities, including substantial involvement of state and local 
government orgaoizationB. The Vogtle Nuclear ^lant is located 
about 10 miles from the Savannah River site, and the Washing* 
tan Nuclear Plant 2 is located within the Hanford site boundary. 
Although the committee did not explicitly oxamine the relation- 
ship between DOE's field offices and state and local government 
response organizations, DOE should assure that the emergency 
preparedness of thocie organizations, and their conmiunications 
with them, are adequate to protect the health and safety of offsite 
individuals* 

DOE has conducted audits of the emergency planning organi- 
zations and procedures at Hanford and Savaaoah Piver over the 
past six years. These have resulted in a series of reconrnienda- 
tions for improvements to facilities, procedures, and training. The 
most recent appraisal for the Savannah River production reactors 
concluded that the emergency preparedness program was effective 
and provided thre^ recommendations for improvements. One rec- 
ommendation was that the Savannah River contractor revise its 
claasificaticm ot' emergency response levels so they conform with 
DOE and commercial nuclear industry practice. This r* x>mmen- 
dation had been made previously, in reviews following the Three 
Mile bland iuxident, but was not implemented by the contractor. 
The ccHnmittee understands that actions have now been imple- 
mented in response to each of the three items identified by the 
appraisal team. 

DOE's most recent ^praisal of emergency preparedness at N 
Reactor also concluded that the contractor's emergency response 
organizatbn and facilities were generally adequaf^ to protect the 
health and safety of the public in the event of a reactor acci- 
dent. The appraisal incli«ded several reccHmnendations for im- 
provements, and actions have either been implemented already 
or are planned to address each of the specific items cited by the 
appraisal team 

The purpose of emergenc*' preparedness is to provide persons 
responsible for action in the event of an emergency with adequate 
knowledge, understanding, equipment, and facilities for making 
and implementing reasoned decisions. It is important that the 
planning basis consider the entire spectrum of events that might 
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occur, from benign to severe. DOE Orders (5500.2, 5500.3) require 
that all "credible" accidents be analyzed and that estimates of the 
characteristics of associated accident scenarios and source terms 
be used as a basis for emergency planning. 

Within the limits of the existing definition and analyses of 
credible accidents at the production reactors, the Hanford and Sa- 
vannah River emergency planning organizations, staflf, facilities, 
and training appear to be generdly quite good. Frequent exer- 
cises of the response staff and procedures have been held at each 
site, and Savannah River emergency planning staff participate in 
Federal Emergency Management Agency (FEMA) evaluations of 
conmiercial reactors and in federal-level radiological emergency 
exercises. However, DOE and its contractors do not fund or par- 
ticipate in annual preparedness activities with state and local 
governments. The ability of emergency response organizations to 
cope with accidents beyond the current design basis (for example, 
ful! core melt accidents wivh confinement and filter failures) needs 
to be more fully addressed. As results and insights are gained 
from ongoing and future s*»vere accident analyses and PRAs, they 
shonM be reflected in changes to existing emergency plans and 
in future exercises. Finally, the committee believes DOE should 
assure itself that both contractors have adequate answers to such 
questions as: (1) Given a slew-developing accident, what criteria 
should be used on which to base a decision to evacuate and what 
information is needed to assess the criteria? (2) Given an accident 
in progress with releases to the environment having already oc- 
curred and still under way, how best can the extent, distribution, 
and movtwOii^' of the radioactivity in the outside environment be 
monitorec? so ab to make rational decisions regarding emergency 
actions? ^3) b the information gathering network on traffic con- 
ditions, weather, and competing emergencies adequate for on-line, 
ad hoc decisionmaking? (4) Is there a readily accessible data base 
available on the local hydrology, transportation routes, tq>ograr 
phy, demography, temporal changes in the population density on 
an honrly basis, and meteorology? and (5) Is there a site-specific 
atmospheric transport model available at the emergency response 
center that can be used interactively with real-time weathvr data 
to project the movement of the radioactivity for short times into 
the future in order to predict who is at risk and when? 
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Recommendation: Emergency planning activities at the De- 
partment of Enetgy^B production reactor Atea should consider 
the entire spectrum of accidents that could occur, going 6e- 
yond design-basis accidents to include large-scale core melt 
accidents. As results and insights are gained from ongoing se- 
vere accident analyses and probabilistic risk assessments, they 
should be reflected in changes to emergency plans, training, 
and facilities. 

The U.S. Department of Energy and its contractors should fund 
and participate in annual preparedness exercises with state and 
local governments. 

The Department of Energy should also analyze those lessons 
learned from the Chernobyl accident that relate to emergency 
planning and response to determine if improvements in re- 
gional and national capabilities are warranted. 
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Strengthening the Technical Basis of 
Reactor Safety Management 



THE ROLE OF THE DEPARTMENT OF ENERGY IN 
HISTORICAL CONTEXT 

The Department of Energy and its predecessor agencies have 
been responsible for the production of defense nuclear materi- 
als since that task wais originally assigned to the Atonnic Energy 
Commission (AEC) in 1946. In 1974 the AEC was reorganized 
into an independent Nuclear Regulatory Commission (NRC) and 
a program-oriented agency within the Executive Branch (the En- 
ergy Research and Development Administration or "ERDA"); the 
latter became the basis for the Department of Energy in 1977. 

The AEC led the way in reactor safety. It was an agency 
formed at the beginning of the atomic age with the sole mission 
of developing and controlling the use of nuclear technology. The 
DOE, on the other hand, is a department of the Executive Branch 
with many nonnuclear responbiuilities. Despite its origins in the 
AEC, DOE's potential for leadership in nuclear safety technology 
has becii constrained by the assignment of regulatory functions to 
other organizations and by the preeminence within the federal gov- 
ernment since the mid-1970s of the view that nuclear technology 
ought to be developed principally by private industry. 

Commercial experience with nuclear reactor operation \\sls 
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now become far more extensive than that of the DOE. The com- 
mercial nuclear industry in this country currently encompasses 
more than 100 nuclear power plants. It is regulated by the Nuclear 
Regulatory Commission, which has no responsibility for DOE!- 
owned reactors. For ^he most part, national leadership on matters 
of nuclear safety has shifted to the NRC in its role as regulator of 
commercial nuclea'' power plants. 

Funding constraints have also acted to diminish the role that 
DOE has been able to play in the area of reactor safety. For many 
reasons — including the many demands that were placed on the 
DOE in the late 1970s in the wake of rapid increases in interna- 
tional oil prices — DOE reactors did not receive the same funding 
priority as they had in prior years. As a result, reactor upgrades 
and even some plant maintenance were deferred. Mounting bud- 
getary pressures in the 1980s restricted production reactor funding 
so that the DOE safety program was devoted largely to catching 
up with deferred maintenance. Upgrades intended to enhance the 
safety of the plants received limited funding or were postponed. 
As noted in Chapter 2, these factors have had lingering effects. 
The effects can be seen today in such practices as the treatment of 
liquid effluents from the production reactors and the N Reactor's 
antiquated methods of refueling. 

The current DOE mode of operation differs from the mode 
of operation that existed during the days of the AEC. At both 
agencies the basic strategy was to delegate maximum resp ^nsibility 
to the contractors, and in each caise most of the technical expertise 
has resided there. Yet during the AEC era, there was also a small 
group of the highest technical quality In the headquarters staff 
whose role, simply expressed, was to keep the contractors' feet 
to the fire. This smal! headquarters staff usually had adequate 

lence, because its members were as technically competent as 
those in the field, and it was widely understood that they had the 
full backing of the hestdquarters program directors. The AEC also 
had good reason tr^ assume highest quality in the contractors. The 
people who had designed the reactors were contractor employees. 
Until recently, some of them were still on board. They knew every 
nut and bolt in the reactors they were operating. In sum, with 
the breakup of the AEC and the passage of time, the technical 
experience in headquarters, in the field, and in the contractors' 
staffs has diminished. 

The breakup of the AEC also led to a loss of outside oversight 
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of the production reactors. NRC plays no role in assessing the 
safety of DOE reactors, and there is no standing committee of 
non-DOE advisors paralleling the Advisory Committee on Reactor 
Safeguards (ACRS). The ACRS, which continues to provide advice 
on reactor issues to the NRC, was originally created in 1946 to 
assist the AEC. At the outset, the ACRS reviewed only AEC 
production, research, and test reactors since there were as yet no 
commercial reactors. 

One of the first issues addressed by the ACRS concerned the 
suitability of the Haiiford site for the production of plutonium. 
For years the ACRS maintained separate subcommittees on the 
Hanford and Savannah River production reactors, which met fre- 
quently and provided a steeuly uow of expert and independent 
advice. With the abolition of the AEC, regular review of the 
production reactors by the ACRS ceased, and the ACRS subcom- 
mittees on the production reactors were disbanded. Although the 
system was not perfect — for instance, ACRS had no mechanism 
for ensuring that its concerns were resolved — the ACRS did fo- 
cus attention on important issues and encourage im^^rovements in 
the safety of the production reactors. The Secretary of Energy is 
authoriied, however, by 42 U.S.C. 5814 to seek advice from the 
ACRS. Although DOE has used this authority to acquire ACRS 
review of new reactor designs such as the Fast Flux Test Facility, 
it has not sought ACRS advice on the production reactors, and no 
other body has been created to assume ACRS's role. 

The accident at Three Mile Island (TMI) in 1979 had a ma- 
jor impact on the regulation of commercial nuclear power. As a 
result of the accident, the NRC and commercial nuclear utilities 
embarked on a wide-ranging and expensive program to improve 
commeicial rea^.tOi safety; the implementation of this program is 
still in progress todav. Although DOE played a part in the process 
of extracting lesions irom the accident, it has been slow to incorpo- 
rate those lessons in i.^e operation of its own reactors. In mid- 1980, 
the Under Secretary of Energy formed an in-house panel to study 
the safety of DOE's largt reactors in light of the TMI accident. 
The study, however, was narrowly focused on operator qualifica- 
tions and training. Even to, the panel's report clearly pointed 
out, among many othe** nndings, that DOE not effectively 
carrying out its responsibilities with respect to nuclear safety, and 
furthermore, that it did not have the in-house capability to do so. 

Six years later, only one of the f jndamental recommendations 
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made as a result of the DOE's study has been implemented — 
elevation of the functions of environmental protection, safety, and 
health to the level of an Assistant Secretary. The equally impor- 
tant recommendation to ^^tablish effective outside oversight of the 
DOE reactors still has not been addressed. Recently, however, 
the Department has indicated a willingness to have some form of 
external oversight established. 

Following the Chernobyl accident, DOE moved to reevaluate 
its reactors. In addition, between November 1986 and November 
1987 DOE took a number of highly visible actions at three DOE 
reactor sites: 

• DOE extended the N Reactor's annual outage in order to 
implement a substantial portion of the many safety enhsuicements 
recommended by internal and external reviewers who examined 
the plant in the wake of the Chernobyl accident. 

• At Savannah River, DOE reduced the reactor power level 
by 50 percent and required the contractor tc develop an acting 
plan designed to assure that adequate emergency core cooling 
capability could be demonstrated. 

• DOE shut down the High Flux Isotope Reactor for safety 
reasons and placed other facilities at Oak Ridge on standby be- 
cause of poor management practices. 

These actions responded to hndings of specific deficiencies. 
As dramatic as these measures have been, th«;y have not answered 
the underlying question of whether DOE can fully discharge its 
safety responsibilities with the resources and mangement praccices 
it now uses. 

THE CURRENT MANAGEMENT SYSTEM 

The production reactors are operated by contractors selected 
by DOE. At both Hanford and Savannah River the contractors 
maintain large staffs that are responsible for reactor operation, 
engineering, safety, and environmental protection, among many 
other functions. The contractors benefit from staffs that are ex- 
perienced and reasonably technically sophisticated and are led by 
senior managers who typically have long-standing familiarity with 
the reactors. Each site also has the benefit of an associated support 
laboratory of national repute. As one reviewer noted in 1985, ^thc 
DOE's fundamental operational tenet is to put responsibility for 
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safety primarily upon the contractors " Although this delegation 
of operational responsibility to contractors may be appropriate, 
the as8ignmt;nt does not relieve DOE of its legal mandates to 
assure public safety and to supervise contractor performance. 

Within DOE the primary responsibility for the safe operation 
of the reactors lies with its line management. Authority flows from 
the Secretary, through the Under Secretary, to the managers of the 
local operations oflSces at the two sites. The managers of the oper- 
ations oflSces at the Hanford and the Savannah River sites are the 
DOE oflScials who are primarily responsible for providing program 
direction to the contractors, and who must assure the implemen- 
tation of adequate environment, safety, and health programs. By 
comparison with the contractor organizations, the staffs of the 
DOE operations offices are relatively small. As currently struc- 
tured, both the Savannah River and Richland operations offices 
each have one division responsible for the actual operation of the 
reactors and a separate division, reporting to the manager, re- 
sponsible for auditing the performance of the contractor in terms 
of compliance with safety, quality assurance, and environmental 
requirements. 

Although the manager of the operations office plays a key role 
in assuring the attainment of production objectives and the safe 
operation of the reactors, the manager's activities are significantly 
affected by at least two other DOE oflScials. The production goal 
and the budget allocation for the reactors is developed by the 
Assistant Secretary for Defense Programs (DP). Contrc '>ver the 
budget gives this Assistant Secretary significant power i affect 
the activities of the operations office and the contractor. (The 
manager of the operations office, nevertheless, may independently 
raise budget issues with the Under Secretary as may the Assistant 
Secretary for Environment, Safety, and Health.) In addition, pro- 
posed plant modifications, changes in technical specifications, and 
safety analyses must be approved by DP. 

Within the DOE, oversight of the safety, quality assurance, 
and environmental performance of both the DOE line management 
and the contractors is the responsibility of the Assistant Secretary 
of Environment, Safety, and Health (ES&H). ESi^H conducts in- 
tensive appraisals of the production reactors and the contractors' 
activities. This oversight function has been significantly upgraded 
in the past year and a half. The size and technical depth of the 
permanent staff of ESi^H is still not large, especially in relation to 
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the size of tbe defense production enterprise as a whole, although 
the ES&H caff is augmented for the purpose of conducting site 
appraisals the use of consultants. 

In suir. the operations offices are responsible to two separate 
offices in Vte DOE headquarters. The effectiveness of this arrange- 
ment dept^nds on the balance of capabilities in those two offices 
and thei relative authority. 

PRINCIPAL AREAS FOR IMPROVEMENT 

V: jleT the current set of arrangements, ES&H is charged i^ith 
coordinating with DP in the establishment of departmental safety 
stand'irds and with independently monitoring the safety perfor- 
mance of the contractors and the operations offices Both ESicH 
and D? have access to the Under Secretary and the Secretary, so 
that ia principle these officials may also become directly involved 
in arty given decision. Yet, in the absence of independent external 
review, both of these headquarters organizations and the Under 
Secretary depend on the field offices and the contractors for infor- 
ms cion about the day-to-day operation and level of safety achieved 
in the plants. Except on an ad hoc basis, the Secretary has no 
aczeas to objective external expertise, which would provide inde- 
pf-adent judgment of the quality of the standards set by ES&H, 
the supervision provided by the field offices, or the performance of 
t e contractors. 

The conmiittee's conclusions and recommendation? as to 
I 'OE's management of the reactors relate to three principal find- 
' us: (1) DOE's overreliance on its operating contractors; (2) 
weaknesses in the current implementation of the DOE manage- 
ment approach; and (3) the need for increased outside involve- 
a:ent. 



DOE^s Relationship with Its Contractors 

Conclusion: The Department of Energy, both at headquarters 
and at the Richland and Savannah River operations offices, 
has relied almost entirely on its contractors to identify safety 
concerns and to recommend appropriate actions. In largt part 
this results from a marked imbalance in technical capabilities 
and experience between the contractors and the DOE staff. 
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The contractors responsible for the operation of the N Reactor 
and the reactors at Savannah River have excellent records of safe 
operation. There have been no major reactor accidents at these 
facilities. Both facilities have records of avoidance of lost workdays 
as a result of on-the-job ii^uries at least 10 times better than that 
of U.S. industry as a whole. 

Perhaps because of the contractors' records of accomplish- 
ment, DOE has tended to defer itlmost exclusively to the contrac- 
tors' expertise and to rely on the contractors to identify, evaluate, 
and resolve safety issues. This appears to be due partly to the 
imbalance in levels of staffing and partly to differences in technical 
training and experience, as discussed below. 

The contractors at the production reactors have a large per- 
manent staff, while the DOE presence on these sites is relatively 
small. For example, the DOE field organization staff charged with 
oversight of operations at N Reactor consists of only eight to ten 
professionals, the auditing group includes only one person with 
full-time responsibility for the reactor, and the safety group has 
two to three professionals with full-time responsibility for the reac- 
tor. Thii contrasts with a contractor staff of approximately 1200 
at N Reactor. One DOE official explained that the Department's 
approach is to "skim over the surface" in the hope of ''sensing^ 
problems that justify closer examination. 

The DOE staff also does not have a depth of technical experi- 
ence commensurate with that of the contractor staff. (At Savan- 
nah River the greater experience of the Du Pont staff is diluted 
to some extent by Du Pont's traditional practice of continually 
rotating mid-level staff in and out of positions of responsibility.) 
At Richland, for example, the committee was told that the typical 
DOE staff member entered employment with DOE as a first job 
upon graduation from college and has been in DOE's employ, on 
average, for two to three years. These persons obviously possess 
no reservoir of technical experience and have not benefited fr<Hn 
extensive contact with the external technical community. More- 
over, DOE technical staff may leave government service after a 
short tenure, or move on to other staff or management roles. 

The inherent limitations of this approach are demonstrated by 
the events that led to the current 50 percent reduction in power of 
the Savannah River reactors. As noted in Chapter 2, in order to 
establish allowable upper limits for reactor power, the Savannah 
River Laboratory conducted experiments in 1979 focusing on the 
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capability of the Savannah River reactor emergency core cooling 
systems. By 1981 personnel in the contractor's reactor department 
had become convinced that the 1979 experiments were deficient. 
Thus, uncertainty existed within the contractor organization con- 
cerning the validity of the existing limits of safe operation, as 
defined by the design bases of the emergency core cooling systems. 
Nevertheless, the reactors were operated at fitll power for the next 
five years while the laboratory devoted relatively few resources to 
validating the 1979 experiments. At no time during the entire five- 
year period did anyone at DOE become aware of the uncertainties 
that existed regarding the power limits then in use. To its credit, 
DOE acted within hours after being informed in November 1986. 

The conmiittee views this case as indicative of the underlying 
nature of the DOE-rontractor relationship; it is unusual only in the 
severity of the corrective action ultimately taken. The conunittee 
concluded that DOE places undue reliance on its contractors for 
the assurance of safe operations. Safe operation of the produc- 
tion reactors requires independent and competent assessment of 
contractor decisions by experts in reactor safety who are at arms 
length from day-to-day operations. While DOE oversigb^^ nmst al- 
low a contractor a degree of technical discretion and must demand 
individual accountability, DOE involvement has to be comprehen- 
sive enough to allow it to evaluate all aspects of the contractor's 
performance. The DOE will not be capable of recognizing and 
rewarding good practice or recognizing and forestalling improper 
action unless it knows and fiilly understands what the contractor 
is doing. 

Recommendation: The Department of Energy should acquire 
and properly assign the resources and talent necessary to en- 
sure that safe operation is being attained. Changes in staffing 
levels and budgets will likely be required to achieve such a ca- 
pability. The purpose of these changes should be to provide 
the staffing and funding necessary to ensure comprehensive 
involvement by DOE in the safety assessment and operation 
of the production reactors. In addition to establishing compre- 
hensive involvement with the contractors, DOE should clarify 
and strengthen its reporting requirements to ensure that the 
contractors immediately bring matters of safety consequence to 
the Department's attention. 
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Management Strnctnre 

Conclusion: The Department of Energy's management ap- 
proach copes with the mix of production and safety responsi- 
bilities faced by the Department, but falls short of reasonable 
expectation. 

Although the independent ESjcH organization created in the 
last year has conducted several detailed appraisals of rea^.tor op- 
erations, areas of weakness remain: 

• ES&H has no permanent onsite presence. The ties between 
DP and the operations offices are relatively strong, whereas the 
ties between E^S&H and the field offices are weak. 

• The capability of the operations offices to conduct ongoing 
surveillance programs and to review proposed projects needs to be 
strengthened. 

• Although the expanded ES&H organization in DOE head- 
quarters has sponsored important audits of the production reac- 
tors over the last year, the audits have been episodic and narrowly 
focused. They do not substitute for continued onsite surveillance 
or in-depth review of contractor safety analyses. 

• The DOE has nothing fully comparable to the offices and 
divisions of the NRC charged with research, reactor regulation, 
inspection, and event analysis. The functions performed by these 
offices and divisions are not effectively performed by the DOE. 

• The liaison of DOE with the external terVnical community 
faUs short of what is desirable and easily possible. 

The committee recognizes that the DO&contractor relation- 
ship differs qualitatively from that which exists between the NRC 
and its licensees. The balance between costs and benefits is 
achieved in the context of commercial plants through the rela- 
tionship between regulator and licensee and with the involvement 
on economic matters of public utility commissions. DOE, in con- 
trast to the NRC, must play a mixed role. It must assume the 
position of the regulator in terms of assuring the safety of oper- 
ations, but it must also assume the role of licensee through the 
scheduling and financing of operations to meet program require- 
ments. In this scheme, the contractors act as third parties with 
interests in both safety and production. 
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The tension between DOE's two roles is apparent at the pro- 
duction reactors, particularly in connection with the imp!ementar 
tion of safety modifications. As noted earlier, the conunittee was 
told in interviews that, in the past, the contractors have pressed 
for safety upgrades that DOE has then rejected for budgetary 
reasons. 

DOE judgments about plant upgrades do not appear to reflect 
the results of explicit cost*benefit analyses; indeed, so far as the 
committee could determine, there is no formal system currently 
in use to assess proposed production reactor modifications that 
takes pubhc health risks explicitly into account. As previously 
noted, where cost-benefit analyses of plant upgraues have been 
proposed, reduction of avoidance of public health risks have not 
appeared explicitly in the computations. The conunittee believes 
that the lack of a meaningful procedure for conducting cost-benefit 
analyses of proposed plant modifications and the lack of a clear- 
cut, risk-based safety objective are two sides of the same coin. 

In light of the conflicting responsibilities of the Department 
to meet production requirements and assure safety, the conmiittee 
considered whether to reconunend the creation of an entirely new 
management structure responsible solely for assuring the safety 
of the production reactors. For example, the safety-oversight re- 
sponsibilities now allocated to DOE might be transferred to the 
NRC or to an analogous new entity created outside DOE. But 
either of these options might lead to interagency conflicts and 
disruption that could inhibit both safety and production. The 
conunittee concluded that DOE can accomplish the reactor safety 
functions assigned to it by Congress if it dedicates itself to the task. 
Thus, the committee has reconmiended measures to strengthen 
and improve the Department's safety oversight by modification 
and strengthening of the existing management structure. The 
committee acknowledges, however, that the passage of time may 
demonstrate that more radical measures should be adopted. 

In the conmiittee's view, significant modifications of the De- 
partment's approach are necessary. The committee considers it 
essential for the DOE to strengthen the internal monitoring car 
pability it has established for the production reactors. The mon- 
itoring capability itself should be free of the demands presented 
by program responsibilities. DOE has recogni; 3d this need in its 
efforts to build an effective ESicH organization. The committee 
takes note of and conmiends the efforts of that office in the review 
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of design and operational issues at the production reactors, but 
urges further improvement. 

Recofntnendations: In Btrengthening the monitoring of safety 
at the DOE production reactors: 

• The Department of Energy should expand its capability to 
sponsor research, conduct and review safety analyses, eval- 
uate operations, analyze trends, and assess proposed plant 
upgrades. 

• ES&H should have a permanent and significant onsite pres- 
ence with a formal reporting relationship between onsite 
personnel and headquarters staff. 

• ES&H should have more direct access to and involvement in 
the resolution of key safety issues on a timely and effective 
basis. 

• ES&H should be centrally involved in the Department's in- 
ternal budgetary processes so as to help assure adequate 
funding for safety improvements. 

External Orcrsight 

Conclusion: The Department of Energy's safety oversight of 
the production reactors is ingrown and largely outside the 
scrutiny of the public. Weaknesses in management of the 
defense production reactors have led to a loose-knit system 
of largely self-regulated contractors operating within budgetary 
constraints imposed by and on the Department of Energy. 

The DOE is not receiving external and independent review of 
its reactor safety decisions of the type regularly obtained in the 
commercial reactor industry. There is no organization within or 
associated with DOE that exercises reactor safety responsibilities 
analogous to those of the ACRS. There is no organization within 
or associated with DOE that can review reactor operations in a 
manner similar to that exercised by ths Institute for Nuclear Power 
Operations (INPO) for commercial reactors. DOE has also made 
little use of the services of independent safety review committees 
such as those employed routinely by individual utilities to examine 
safety issues at commercial plants. As a result, DOE and its 
contractors do not regularly benefit from the knowledge available 
elsev/here in the nuclear conunur 'ty. 
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The concept of external, independent, or peer review is not 
foreign to the Department of Energy. Parts of the Department 
use review committees, such as the Energy Research Advisory 
Board (ERAB), which provides input to the Director of the Of- 
fice of Energy Research. The DOE national laboratories (such as 
Argonne Naticmal Laboratory and Brookhaven National Laborar 
tory) have outside peer review in the form of visiting committees. 
These committees are usually composed of scientists and engineers 
from universities, industry, and other national laboratories. They 
report to the trustees of the universities that administer the lab- 
oratories for DOE, providing copies of their reports to laboratory 
management and to local DOE operations offices. 

At the DOE production reactors, the committee found little 
in the way of external review. The relationship between the pro- 
duction reactor contractors and INPO has been limited and of 
limited utility to DOE and its contractors. At Savannah River, 
several small external review groups have been formed for narrow 
technical purposes, and the^e is a Reactor Safety Advisory Coni- 
mittee. However, the latter meets infirequently, does not set its 
own agenda, does not have staff support, and has few members 
unaffiliated with DOE or the contractors. 

Independent review has been of enormous importance at com- 
mercial reactors, providing new and workable views and insights 
and assuring the incorporation in safety decisions of operating ex- 
perience at similar facilities throughout the workl. Such a review 
is virtually nonexistent at DOE production reactors. Accordingly, 
the conunittee concludes that there is a critical need for additional 
external oversight at both Savannah River and Hanford. 

Moreover, an independent and aggressive oversight conmiittee 
would help in building public confidence that these reactors are 
indeed being operated to high safety standards. 

Recommendations: An independent external safety oversight 
committee, advisory to the Secretary of Energy, should be es- 
tablished. The oversight committee sho^dd possess the foil wing 
features: 

• Members should be of recognized stature with expertise cov- 
ering the full range of disciplines relevant to reactor safety. 

• Members should include individuals from outside the DOE 
community. 

• The committee should have authority to set its own agenda. 
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• T.%e eommiUee should be authorized to review both the prod^ 
uct and the process of the Department of Energy and eon-^ 
tractor efforts, including review of design, safety analysis, 
operatioru, management, inspection, and enforcement. 

• The committee should be supported by a full-time, techni- 
cally qualified staff, without which it cannot function effec- 
tively, and by a budget adequate to obtain external technical 
assistance as required. 

• The bulk of the committee's work should be unclassified and 
available to the public. 

The Department of Energy should also encourage each con- 
tractor to establish c permanent visiting committee of outside 
experts to review and assess the implementation of safety ini- 
tiatives and to report to contractor management at the site and 
at corpo'a^e headquarters. These committees should be free to 
set their own agendas. 



FoUow-Up 

The committee believes that the foregoing recommendations, 
if implemented, could help foster a self-sustaining system of safe 
operation and oversight: operating units working to well-formu- 
lated safety standards, a strong internal monitoring and enforce- 
ment c^ability, and external oversight to advise on the adequacy 
of safety goals and DOE's adherence to them. Given the difficulty 
of implementing organizational changes of the scope discussed in 
this chapter, however, the committee believes that even if such a 
system were adopted there would be a need for evaluation after a 
reasonable period to see if it is functioning as intended. 

It is worthwhile pointing out that the committee's reconmien- 
dations do not lead to simple, unequivocal answers to questions 
related to the appropriate regulatory model for achieving produc- 
tion reactor safety. Many of the issues discussed here are ones tl at 
need to be addressed by measures other than regulation: safety 
goals are instrumental to the development cf a cost-effective safety 
system; the balance of technical capability between DOE and its 
contractors needs to be restored to bolster the DOL role and im- 
prove the DO&contractor relationship; the transition between the 
3xisting set of aging facilities to a modernized production system 
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must be managed in a tight budget environment. None of these 
imperatives can be met through regulation per se. 

Finally, the tedm<dogicaI vigilance required to assure safety at 
the DOE reactors cannot be generated from organizational struc- 
ture alone. Within even a large, properly structured organization, 
safety is a reflection of institutional commitment and capability. 
Leadership at the policy-making level is essential, and dedication 
to safety must permeate the Department Energy. The DOE has 
made recent strides in this direction, but those efforts need to be 
bolstered, institutionalized, and sustained. 
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E.I. du Pont de Nemours ic Co. ECS Limits Program. Memorandum from 

D. A. Crowley to D. A. Sharp. Savannah River Laboratory: December 

12, 1985. 

E.I. du Pont de Nemours ic Co. Consequences of Non- Wetting Behavior of 
Mark 16B and Mark 22 Assemblies. Memorandum from J. L. Steimke 
to M. G. Loch. Savannah River Laboratory: January 1986. 
E.L du Pont de Nemours & Co. ECS Success Criter'- for Re*ctor Core 
Cooling for LOPA's and Small LOCA's in PKL Mark 22 Charges. 
DPST-86-241. Memorandum from D. A. Crowley et al. to C. E. Ahlfeld. 
Savannah River Laboratory: January 21, 1986. 
E.I. du Pont de Nemours & Co. Uncertainty Analysis of Emergency Cooling 
System Flows. RTR-2341. Memorandum from J. E. McAllister to G. 
F. Men. Savannah River Plant: January 27, 1986. 
E.I. du Pont de Nemours & Co. Generic Flowione Design for FLOOD84 
Calculations. Memorandum from J. E. McAllister to D. A. Crowley. 
Savannah River Plant: January 30, 1986. 
E.I. du Pont de Nemours ic Co. ECS-LOPA Scenario. Memorandum from 
D. A. Crowley to D. A. Sharp. Savannah River Laboratory: January 



E.I. du Pont de Nemours ic Co. Water Temperature in the Polybor Header. 

Memorandum from D. A. Crowley to D. A. Sharp. Savannah River 

Laboratory: February 3, 1986. 
E.I. du Pont de Nemours Co. ECS Limits Program. Memorandum from 

N. T. Hightower to D. A. Sharp. Savannah River Laboratory: February 

12, 1986. 

E.I. du Pont de Nemours ^ Co. Hydraulic Tests of Emergency Cooling 
System— L Area. RTR-2347. Memorandum from J. H. Hinton to G. F. 
Men. Savannah River Plant: April 2, 1986. 
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E.L du Pont de Nemours If Co. Experimental Program for New USH Inlets. 

Memorandum from J. L. Steimke to M. G. Loch. Savannah River 

Laboratory: June 27, 1986. 
E.L du Pont de Nemours ic Co. Support Work for Technical Standard 1.05. 

DPST-86-538. Memorandum from D. A. Crowley to C. E. Ahlfeld. 

Savannah River Laboratory: July 7, 1986. 
E.I. du Pont de Nemours & Co. ECS Power Limits. Memorandum from L. 

R. Chandler to F. D. Benton. Savannah River Plant: July 16, 1986. 
E.I. du Pont de Nemours Co. Untitled note from Rick [F. Benton] to 

Jerry [G. F. Men]. Savannah River Plant: July 16, 1986. 
E.I. du Pont de Nemours Co. Untitled memorandum from D. A. Sharp to 

C. E. Ahlfeld. Savannah River Laboratory: July 22, 1986. 
E.I. du Pont de Nemours &c Co. Improving the FLOOD Code. Memorandum 

from J. L. Steimke to D. A. Sharp. Savannah River Laboratory: 

September 3, 1986. 

E.I. du Pont de Nemours Co. Assembly Damage Model Status/Schedule. 

Memorandum from M. G. Loch to W. E. Jule. Savannah River Labo- 

ratory: September 11, 1986. 
E.I. du Pont de Nemours ic Co. AC and DC Motor Flooding Times. DPST* 

86-642. Memorandum from D. A. Crowley and J. H. Hinton to J. T. 

Gr^naghan. Savannah River Laboratory: September 12, 1986. 
E.I. du Pont de Nemours ic Co. ECS Power Limits. Memorandum from F. 

Benton to G. F. Mers. Savannah River Plant: September 17, 1986. 
E.I. du Pont de Nemours & Co. Conversation with J. P. Church. Memoran- 
dum from J. L. Steimke to M. G. Loclt. Savannah River Laboratory: 

September 18, 1986. 
E.I. du Pont de Nemours & Co. Assembly Damage Model/ ECS Limit 

Meeting. Memorandum from M. G. Loch. Savannah River Laboratory: 

September 22, 1986. 
E.I. du Pont de Nemours ic Co. Guidance on Responding to Increased Risk of 

Reactor Operation Due to New Steimke Damage Models. Memorandum 

from J. P. Church to C. E. Ahlfeld and D. A. Sharp. Savannah River 

Laboratory: September 23, 1986. 
£.1. du Pont de Nemours ic Co. Melting Model for SRP Reactor Assemblies. 

Viewgraphs presented by J. L. Steimke. Savannah River Laboratory: 

September 24, 1986. 
E.I. du Pont de Nemours ic Co. Review of John Steimke's Assembly Heatup 

Experiments— 9/24/86. Note from D. A. Sharp to C. E. Ahlfeld. 

Savannah River Laboratory: September 24, 1986. 
E.I. du Pont de Nemours Co. Recommendation to Reduce ECS Limits 

Due to New Damage Models. Memorandum from J. P. Church to C. E. 

Ahlfeld and D. A. Sharp. Savannah River Laboratory: September 25, 

1986. 

E.I. du Pont de Nemours Co. Recommendation to Immediately Reduce 
ECS Limits by 10 Percent. Memorandum from J. P. Church to C. E. 
Ahlfeld and D. A. Sharp. Savannah Riv^r Laboratory: September 29, 
1986. 

E.I. du Pont de Nemours Co. Modeling the Plenum Under ECS Conditions. 
Memorandum from L. L. Hamm to M. G. Loch. Savannah River 
Laboratory: September 31, 1986. 
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E.L du Pont de Nemours ^ Co. Subcycle-Specific ECS Power Limits. 
Memorandum from M. J. Giess to D. A. oharp. Savannah River Plant: 
October 29, 1986. 

E.I. du Pont de Nemoura Co. Emergency Cooling Power Limits (Rev. 1). 

Memorandum from F. Benton to L. Chandler et al. Savannah River 

Plant: October 1, 1986. 
E.I. du Pont de Nemours Co. Assembly Damage Model/ ECS Limit 

Program. Memorandum from M. G. Loch to J. L. Steimke. Savannah 

River Laboratory: October 2, 1986. 
E.I. du Pont de Nemours & Co. Revised Emergency Cooling System LOCA 

Limits for PKL-Reactor Mark 16B-31 Charges. DPST-86-699. K.em- 

orandum from C. E. Ahlfeld to J. T. Gran^ghan. Savannah River 

Laboratory: October 2, 1986. 
E.I. du Pont de Nemours Co. Emergency Cooling Limits. Memorandum 

from F. D. Benton to G. F. Mers. Savannah River Plant: October 3, 

1986. 

E.I. du Pont de Nemours ic Co. Special ECS Tests — C Reactor. Memo- 
randum from J. H. Hint on to M. H. Tennant. Savannah River Plant: 
October 3, 1986. 

E.I. du Pont de Nemours & Co. Safety Philosophy for LOCA Initiators. 

Memorandum from J. P. Church to C. E. Ahlfeld and D. A. Sharp. 

Savannah River Laboratory: October 7, 1986. 
E.I. du Pont de Nemours ic Co. Melting Model ior Reactor Assemblies 

During Design Basis LOCA. Incomplete Draft DPST. Memorandum 

from J. L. Steimke to W. E. Jule. Savannah River Laboratory: October 

8, 1986. 

E.I. du Pont de Nemours ic Co. Implementation of Emergency Cooling 
System Limits. Viewgraphs. Savannah River Laboratory: October 10, 
1986. 

E.I. du Pont de Nemours ic Co. ECS Program Elements. Memorandum 
from D. A. Sharp to M. G. Loch and J. L. Steimke. Savannah River 
Laboratory: October 1986. 

E.I. du Pont de Nemours ic Co. ECS Power Limitation, Revision 1. Mem- 
orandum from Larry Chandler to Core Design Group. Savannah River 
Plant: October 20, 1986. 

E.I. du Pont de Nemours ic Co. Meeting Minutes, 10/27/86. Savannah 
River Laboratory: October 27, 1986. 

E.I. du Pont de Nemours ic Co. Melting Model. Memotandum from J. L. 
Steimke to M. G. Loch et al. Savannah River Laboratory: October 27, 
1986. 

E.I. du Pont de Neirours ic Co. Meeting Summary: Assembly Damage 

Model. M'^morandum from J. L. Steimke to M. G. Loch et al. Savannah 

River Laboratory: October 31, 1986. 
E.I. du Pont de Nemours Co. Meeting Minutes, 11/4/86. Savannah River 

Laboratory: November 4, 1986. 
E.I. du Pont de Nemours ic Co. Subcycle-Specific ECS Power Limits. 

Memorandum from D. A. Sharp to M. J. Gless. Savannah River 

Laboratory: November 11, 1986. 
E.I. du Pont de Nemours is Co. Status of Work on New Meltmg Model. 

Viewgraphs of a talk presented by J. L. Steimke t- J Stewart. Savannah 

River Laboratory: November 12, 1986. 
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E.L du Pont de Nemoura ic Co. Untitled note from J. L. Steimke to 
W. E. Jule and C. E. Ahlfeld. Savannah River Laboratory: November 
25, 1986. 

E.L du Pont de Nemours Co. Emergency Cooling Syitem Power Limits. 
Viewgraphs of J. Steimke. Savannah River Laboratory: November 26, 
1986. 

E.L du Pont de Nemours & Co. Emergency Cooling System Power Limits for 
Reactor Assemblies. DPST-86-815. Memorandum from J. L. Steimke 
to W. E. Jule. Savannah River Laboratory: December 1, 1986. 

E.L du Pont de Nemours Co. New ECS Damage Models. Memorandum 
from J. E. McAllister to G. F. Men. Savannah River Plant: December 
1, 1986. 

E.L du Pont de Nemours & Co. Subcycle-Specific Emergency Cooling Limits. 

RTR-2431. Memorandum from M. J. Giess to G. F. Mers. Savannah 

River Plant: December 8, 1986. 
E.L du Pont de Nemours ic Co. New USH Design for Improved ECS Flow 

Distribution. DPST-86-826. Memorandum from J. P. Church to C. E. 

Ahlfeld. Savannah River Laboratory: December 9, 1986. 
E.L du Pont de Nemours ic Co. SRL ECS Limits Responsibility. Memo- 
randum from W. E. Jule to G. F. Mers. Savannah River Laboratory: 

December 10, 1986. 
E.L du Pont de Nemours ic Co. Implementation of Revised Emergeo'ty 

Pooling Limits. Test Authorisation 1-2257. Savannah River Laboratory: 

December 11, 1986. 
E.L du Pont de Nemours ic Co. Reference: E. Nomm, "Meeting Minutes — 

ECS Po./er Limits," December 9, 1986. Memorandum from D. A. Sharp 

to C. E. Ahlfeld. Savannah River Laboratory: December 11, 1986. 
E.L du Pont de Nemours ic Co. Reactor Power Reduction for Inoperable 

Booster Pump. Memorandum from L. R. Chandler to F. D. Benton. 

Savannah River Plant: December 12, 1986. 
E.L du Pont de Nemours ic Co. Incorrect ECS Limits. Reactor Incident, 

RI-P-1784, RI-L-0705. Savannah River Plant: December 17, 1986. 
E.L du Pont de Nemours ic Co. Meeting Minutes — ECS Power Limits, 

December 15, 1986. Memorandum from E. Nomm. Savannah River 

Plant: December 17, 1986. 
E.L du Pont de Nemours ic Co. Review of ECS Damage Model Calculations. 

Memorandum from J. E. McAllister to G. F. Men. Savannah River 

Plant: December 17, 1986. 
E.L du Pont de Nemours ic Co. Revised Emergency Cooling Limits for the 

P-9.3 Subcycle. Note from M. L. Nadeau and L. R- Chandler to R. L. 

Salissoni. Savannah River Plant: December 18, 1986. 
E.L du Pont de Nemours Co. Hydraulic Transients for Loss of Cooling 

Accidents. RrR-2424. Memorandum from J. H. Hintoi to G. F. Men. 

Savannah River Plant: December 19, 1986. 
E.L du Pont de Nemours Co. ECS Limits System and Basis. Letter from 

J. T. Lowe to R. L. Morgan. Savannah River Laboratory: December 

29, 1986. 

E.I. du Pont de Nemours ic Co. ECS Limits: Status. Memorandum from 
W. E. Jule to J. D. Spencer. Savannah River Laboratory: December 

30, 1986. 
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E.L du Pont dc Nemonn & Co. CommcnU on LANL Report, 'Effectiveness 
of Emergency Cooling System," by E. W. Baits. Sav&nn&h River 
Lftborfttory: 1987. 

E.L dn Pont de Nemours Co. Modifications to the Emergency Core Cooling 
System to IncreMe Flow to the Reactor. DPST-8e-851. Memorandum 
from W. H. Baker to F. Beranek. Savannah River Laboratory: January 
5, 1987. 

E.L du Pont de Nemours & Co. Flow Required for Throttling of ECS. 

Memorandum from D. A. Crowley to J. P. Morin. Savannah River 

Laboratory: January 6, 1987. 
E.L du Pont de Nemours Co. Discussion with DOE. Note from J. L. 

Steimke to W. E. Jule and F. Beranek. Savannah River Laboratory: 

January 7, 1987. 

E.L du Pont de Nemours & Co. LOCA Leak Rate Needed for Nonconservative 

ECS Limits. Memorandum from J. E. McAllister to C. E. AhKeld. 

Savannah River Plant: January 8, 1987. 
E.L du Pont de Nemours & Co. ECS Limits. Letter from J. T. Lowe to 

R. L. Morgan, U.S. Department of Energy. Savannah River Laboratory: 

January 12, 1987. 

E.L du Pont de Nemours & Co. Resolution of Lack of Reproducibility in 

Flow SpIiU. Memorandum from J. L. Steimke to W. E. Jule and F. 

Beranek. Savannah River Laboratory: January 12, 1987. 
E.L du Pont de Nemours & Co. Meeting Minutes— ECS Power Limits, 

January 12, 1987. Memorandum from E. Nomm. Savannah River 

Plant: January 15, 1987. 
E.L du Pont de Nemours ic Co. Load Shedding Modification for ECS 

AC Motor TVip. Memorandum from T. M. Monahon to J. T. Long. 

Savannah River Plant: January 16, 1987. 
E.L du Pont de Nemours ic Co. Backflow in ECS Addition Systems. 

Memorandum from D. A. Crowley to D. A. Sharp. Savannah River 

Laboratory: January 20, 1987. 
E.L du Pont de Nemours ic Co. ECS Meeting. Memorandum from J. E. 

McAlIbter to C. E. Ahlfeld et al. Savannah River Plant: January 21 

1987. 

E.L du Pont de Nemours ic Co. Review of Administrative Controls for 
Calculation and Implementation of Reactor Thermal-Hydraulic Limits. 
Memorandum from R. M. Satterfield to F. Beranek and G. F. Men. 
Savannah River Laboratory: January 21, 1987. 

E.L du Pont de Nemours ic Co. ECS Limits. Memorandum from J. E. 
McAllbter to G. F. Mers. Savannah River Plant: January 22, 1987. 

E.L du Pont de Nemours ic Co. Review of Administrative Controls for 
Development and Implementation of Thermal-Hydraulic Limits. Mem- 
orandum from R. M. Satterfield to C. E. Ahlfeld and J. D. Spencer. 
Savannah River Laboratory: February 5, 1987. 

E.I. du Pont de Nemours ic Co. Sumjiary of ECS Chronology. Savannah 
River Laboratory: February 25, 1987. 

E.I. du Pont de Nemours ic Co. Melting Model for Reactor Assemblies. 
Viewgraphs of a talk given by J. L. Steimke to the NAS Committee to 
Assets Safety and Technical Issues at DOE Reactors. Savannah River 
Laboratory: February 26, 1987. 
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E.L dn Pont de Nemonn Co, Theoretic&l Simnlfttion of Wftter/Steam Plow 

In ftn Annnlns. Letter from A. E. Jones to J. L. Steimke. Wilmington, 

Delaware: Febmary 19, 1987. 
E.I. dn Pont de Nemonn ic Co. Answers to Qnestions Raised by the 

National Academy of Sciences (NAS) Panel on Febmary 26, 1987. 

Savannah River Plant: March 4, 1987. 
EJ. dn Pont de Nemonrs ic Co, Use of Test Authorisation for Power 

Reduction. Response to the NAS. Savannah River Laboratory: April 7, 

1987. 

E.I. du Pont de Nemonrs Co, Reactor Power Reductions. Letter from 
J. D. Spencer to M. J* Sires. Savannah River Operations Office: April 
14, 1987. 

E.I. du Pont de Nemonrs Co, Status Report — ECS Action Plan. Savannah 

River Laboratory: April 24, 1987. 
E.I. du Pont de Nemours Co, Status Report No. 2— ECS Action Plan. 

Memorandum from C. P. Ross to J. D. Spencer. Savannah River 

Laboratory: May 1, 1987. 
E.I. du Pont de Nemours & Co. Status Report No. 3 — Emergency Cooling 

Action Plan. Memorandum from C. P. Ross to J. D. Spencer. Savannah 

River Laboratory: May 8, i987. 
E.I. du Pont de Nemours ^ Co. Emergency Cooling System Limit Margins. 

RTR-2477. Memorandum from F. D. Benton to G. F. Men. Savannah 

River Plant: May 12, 1987. 
E.I. du Pont de Nemonn ic Co, Status Report No. 4 — E<mergency Cooling 

Action Plan. Memorandum from C. P. Ross to J. D. Spencer. Savannah 

River Laboratory: May 15, 1987. 
E.I. du Pont de Nemonn ic Co, Status Report No. 5 — Emergency Cooling 

Action Plan. Memorandum from C. P. Ross to J. D. Spencer. Savannah 

River Laboratory: May 22, 1987. 
E.I. du Pont de Nemonn ic Co, Assembly Power Limits to Assure Emergency 

Cooling System Adequacy. Test Authorisation 1-2 269 A. Savannah River 

Plant: May 27, 1987. 
E.I. du Pr>i*t de Nemonn ic Co, Status Report No. 6 — Emergency Cooling 

Action Plan. Memorandum from C. P. Ross to J. D. Spencer. Savannah 

River Laboratory: May 29, 1987. 
E.I. du Pont de Nemonn ic Co, Status Report No. 7 — E<mergency Cooling 

Action Plan. Memorandum from C. P. Ross to J. D. Spencer. Savannah 

River Laboratory: June 5, 1987. 
E.I. du Pont de Nemonn Co, Status Report No. 8 — Emergency Cooling 

Action Plan — Predecisional. Memorandum from C. P. Ross to J. D. 

Spencer. Savannah River Laboratory: June 12, 1987. 
E.I. du Pont de Nemonn ic Co, Status Report No. 9 — Emergency Cooling 

Action Plan — Predecisional. Memorandum from C. P. Ross to J. D. 

Spencer. Savannah River Laboratory: June 19, 1987. 
E.I. du Pont de Nemonn ic Co, Meeting Minutes — ECS Power Limits. 

Memorandum from E. Nomm. Savannah River Plant: December 9, 

1986. 

E.I. du Pont de Nemonn ic Co, Revised Emergency Cooling Limits for the 
L-2.1 Subcycle. Note from A. M. Vincent and L. R. Chandler to S. R. 
MacCorkle. Savannah River Plant: December 18, 1986. 
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EJ. da Pont de Nemoun Co. Fim'ioii Prodacts and Exothermic Alaminnni- 
Uraniuin Reactions. Viewgraphi presented by H. B. Peacock to a 
snbcommittee of the NAS Committee to Ass«^s Safety and Technical 
Issues at DOE Reactors. Savannah River Laboratory: July 21, 1987. 

E.I. dn Pont de Nemonrs ic Co. Effects of Imparities on the Metallothermic 
Alnminum^Uraniom Oxide Reactions. Viewgraphs presented by L. W. 
Gray to a snbconunittee of the NAS Committee to Assess Safety and 
Technic^ Issues at DOE Reactors. Savannah River Laboratory: July 
21, 1987. 

E.I. du Pont de Nemours ic Co. U3O8-AI Fatl Development Program. 

DPST-77-287. Memorandum from R. L. FVontroth and H. B. Peacock 

to G. P. Mers. Savannah River Laboratory: September 29, 1977. 
E.I. du Pont de Nemours ic Co. Powder Metallurgy at Savannah River 

Laboratory. DP-1524. Report prepared by H. B. Peacock. Savannah 

River Laboratory: December 1978. 
E.I. du Pont de Nemours ic Co. Quality of U3O8-AI Fuel Tabes of the P-7 

Irradiation Test. DPST-77-247. Memorandum from H. B. Peacock to 

G. P. Mers. Savannah River Laboratory: February 25, 1977. 

E.I. du Pont de Nemonrs ic Co. Potential for Ignition of Uranium Oxide 
During Reactor Accidents. DPST-72-4C3. Memorandum from W. S. 
Durant to J. M. Boswell. Savannah River Laboratory: August 22, 1972. 

E.I. du Pont de Nemonrs ic Co. Thermodynamics of the U-O-AI System. 
Viewgrmphs presented by J. E. Marra to a subcommittee of the NAS 
Committee to Assess Safety ^nd Technical Issues at DOE Reactors. 
Savannah River Laboratory: July 21, 1987. 

E.I. du Pont de Nemours ic Co. Manufacturing and Test of Aluminum- 
Uranium Oxide F^el Tubes. Viewgraphs presented by H. B. Peacock to 
a snbcommittee of the NAS Committee to Assess Safety and Technical 
Issues at DOE Reactors. Savannah River Laboratory: July 21, 1987. 

E.I. du Pont de Nemours ic Co. iLjpection of Irradiated P-7 Fuel Tabes. 
Memorandum from H. B. Peacock and E. F. Sturcken to D. A. Ward. 
Savannah River Laboratory: August 20, 1980. 

E.I. du Pont de Nemonrs ic Co. Reaction and Strength Studies for U3OS-AI 
Fuel Tabes. DPST-76-440. Memorandum from H. B. Peacock to G. F. 
Mers. Savannah River Laboratory: October 29, 1976. 

E.I. du Port de Nemours ic Co. Response to NAS Question No. 19 on 
Integrity of PM (Powder Metallurgy) Fuel Tabes Under Reactor Con- 
ditions. Savannah River Plant: 1986. 

E.I. du Pont de Nemonrs ic Co. Study of the UsOg-AI Thermite Reaction 
and Strength of Reactor FSiel Tabes. DP-1665. Report prepared by 

H. B. Peacock. Savannah River Laboratory: August 1983. 

E.I. du Pont de Nemours ic Co. Preparation and Physical Properties of 

U3O8. DPST-83-276. Memorandum from H. B. Peacock to M. R. 

Buckner. Savannah River Laboratory: January 31, 1983. 
E.I. du Pont de Nemours ic Co. PRA for SRP Reactors. Viewgraphs. 

Savannah River Laboratory: n.d. 
E.I. du Pont de Nemours ic Co. Analysis of the Principal SRP Electric 

Power System. DPST-85-984. Memorandum from J. A. Smith to C. E. 

Ahlfeld. Savannah River Laboratory: October 31, 1985. 
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EJ. da Pont de Nemoan ^ Co. Source Rod Fftilare and Snbtequent De- 
contamination. DP-1305. Report prepared by P. B. Longtin. Savannah 

River Laboratory: April 1973. 
E.I. dn Pont de Nemoun k Co. Inspection of Irradiated P-7 Fuel Tubes. 

DPST-80-447. Memorandum from H. B. Peacock and E. P. Stnrcken to 

D. A. Ward. Savannah River Laboratory: August 20, 1980. 
E.I. du Pont de Nemours & Co. Reactor Incident RI-L-129, Fast Reactor 

Startup. DPSP-60-1106. Savannah River Plant: January 14, 1960. 
E.I. du Pont de Nemours & Co. Onsite Radiation Doses from Postulated 

Reactor Accidents. Memorandum from J. B. Price to C. E. Ahlfeld. 

DPST-86-204. Sa.annah River Laboratory: September 2, 1986. 
E.I. du Pont de Nemours ic Co. Confinement Protection by Automatic 

Backup Shutdown. DPST-79-548. Memorandum from J. A. Smith to 

G. F. Mers. Savannah River Laboratory: March 25, IdSO. 
E.I. du Pont de Nemours & Co. Confinement System Protection Criterion. 

DPST-78-526. Memorandum from J. A. Smith to G. F. Mers. Savannah 

River Laboratory: November 21, 1978. 
E.I. du Pont de Nemours & Co. Automatic Backup Shutdown Using Safety 

Computers. RTR-1767. Memorandum from W. R. Kruts to D. A. 

Ward. Savannah River Laboratory: July 12, 1978. 
E.I. du Pont de Nemours ic Co. Response of ABS-S/C to Reactor Accidents. 

DPST-78-356. Memorandum from J. A. Smith to G. F. Mers. Savannah 

River Laboratory: June 14, 1978. 
E.I. du Pont de Nemours ic Co. Automatic Backup Shutdown— Safety 

Computer (A4BS-S/C). DPST-77-244. Memorandum from S. Nomm 

to G. F. Men. Savannah River Laboratory: May 31, 1977. 
E.I. du Pont de Nemours ic Co. Memorandum from the Severe Accident 

Task Force to J. D. Spencer. Savannah River Laboratory: February 26, 

1987. 

E.I. du Pont de Nemours ic Co. Basic Data— Improved Reactor Confinement. 
RTW-234. Savannah River Plant: June 1986. 

E.I. du Pont de Nemours ic Co. Technical Data Summary — Improved Con- 
finement Facilities for SRP Reactors. DPSTD-86-1. Report prepared 
by S. F. Petry et al. Savannah River Laboratory: March 27, 1986. 

E.I. du Pont de Nemours ic Co. Severe Accident Program. Memorandum 
from M. L. Hyder and D. A. Ward to J. D. Spencer and C. E. Ahlfeld. 
Savapnah River Laboratory: October 28, 1986. 

E.I. du Pont de Nemours ic Co. Reactor Room and Filter Compartment 
Conditions Following a Severe Fuel Melting Accident. Viewgraphs 
prepared by D. C. Losey. Savannah Wver Laboratory: n.d. 

E-I. du Pont de Nemours ic Co. Reactivity Effects of Particulate ^*U-A1 in 
Moderator. Excerpt from SRL Monthly Report. DP-72-1-8. Savannah 
River Laboratory: August 1972. 

E.I. du Pont de Nemours ic Co. Assembly Melting Tests. Excerpt from SRL 
Monthly Report. DP-72-1-4. Savannah River Laboratory: June 1972. 

E.I. du Pont de Nemours ic Co. Transport of Metal Properties in the Cross- 
flow T^nk. Excerpt from SRL Monthly Report. DP-73-1-7. Savannah 
River Laboratory: 1973. 

E.I. du Pont de Nemours ic Co. Melting and Chemical Reactions of Depleted 
UaOg-Al. Excerpt from SRL Monthly Report. DP'77-1.7. Savannah 
River Laboratory: 1977. 
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E.L du Pont de Ncmoun Co. Pud Particle Heatt IVansfer and Steam- 
ing. Excerpt from SRL Monthly Report. DP-74-1-6. Savannah River 
Laboratory: 1974. 

E.I. du Pont de Nemonn & Co. A«tembly Melting Stndy. Excerpt from 

SRL Monthly Report. DP.72-1.6. Savannah River Uboratory: 1972. 
E.I. du Pont de Nemoun Co. Melting TetU of Pnel Tubes. DPST-78- 

543. Memorandum from V. Whatley to G. F. Men. Savannah River 

Laboratory: February 14, 1979. 
E.I. du Pont de Nemoan & Co. GRASS Calculation of a Postulated Loss- 

of-Fnel Accident. DPST-79-514. Memorandum from P. B. Parks to 

G. F. Mers. Savannah River Laboratory: September 28, 1979. 
E.L du Pont de Nemours <k Co. Safety Computer ABS for Confinement 

System Protection. Test Authorisation 1-2065. Savannah River Plant: 

June 20, 1980. 

E.I. du Pont de Nemours & Co. GRASS Calculations of Postulated Loss- 
of-Fnel IVansienU in a Mark ie-31A Charge in C Reactor. DPST-79- 
303. Memorandum from P. B. P^rks to G. F. Mers. Savaunah River 
Laboratory: March 19, 1979. 

E.I. du Pont de Nemours & Co. Response of ABS-S/C to Rod Withdrawal 
AccidenU. DPST-80-323. Memorandum from J. A. Smith and J. P. 
Church to G. F. Mers. Savannah River Laboratory: April 1, 1980. 

E.I. du Pont de Nemours & Co. Krypton Retention on Solid Adsorbents. 
DP-1615. Report prepared by P. R. Monson, Jr. Savannah River 
Laboratory: January 1982. 

E.I. du Pont de Nemours & Co. Krypton Retention on Solid AdsorbenU. 
DPST-81-5C3. Report prepared by P. R. Monson, Jr. Savannah River 
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Appendix A 
Statement of Task 



The National Research Council will undertake an assessment 
of safety and technical issues raised by the nuclear reactor accident 
at Chernobyl. The assessment will focus on the eleven Class A 
(over 20 MWT) reactors operated by the Department of Energy. 
These eleven reactors are the N Reactor at Hanford; the C, K, L, 
and P production reactors at Savannah River; the Fast Flux Test 
Facility at Hanford; the Experimental Breeder II and the Advanced 
Test Enactor at Idaho Falls; the High Flux Beam Reactor at 
Brookhaven; and the High Flux Isotope Reactor and Oak Ridge 
Research Reactor at Oak Ridge. 

The committee of individuals expert in nuclear reactor safety, 
risk analysis and assessment, and management of large production 
and research programs, will carry out the review. The committee 
will obtain the results of DOE's ongoing safety assessments of 
production reactors and will receive briefings on what is known 
about the Chernobyl accident. In addition, the committee will 
respond to Secretary Herrington's request for public participation 
by holding public meetings to receive ideas and information from 
interested individuals and groups. 



Thif Statement of Twk is taken largely from the Auguit 1986 contract 
between the U.S. Department of Energy and the National Academy of 
Sciencef-National Research Council. 
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The committee will report within nine months on matters of 
immediate safety concern for DOE reactor design, construction, 
and operation. It is exi>ected that the committee will consider a 
number of more generic, perhaps longer-term, safety issues that 
arise from a more complete understanding of the Chernobyl acci- 
dent; these will be discussed in a later report. 



120 



Appendix B 
Confinements: Technical Discussion 



''Defense-in-depth" has been the safety philosophy adopted in 
the United States for nuclear reactors [l]. Implementation of this 
philosophy in large nuclear reactors has involved erecting multiple 
barriers to the release of radionuclides into the environment. The 
cladding on reactor fuel and the reactor coolant system itself are 
the first two barriers, while the final and most robust barrier 
in conmiercial nuclear power plants is the reactor containment 
buUding. In the production reactors at Savannah River and at 
Hanford, the final barrier is the reactor confinement. 

Both reactor containments and reactor confinements are in- 
tended to function as barriers to radionuclide release la the event 
of a very damaging reactor accident that breaches all other bar- 
riers. These two concepts function, however, in different ways. 
Reactor containments are designed to retain all radionuclides re- 
leased from the fuel — radionuclides in both gaseous and particulate 
form^ — in a nearly leak-tight volume. Of course it is possible that a 
particularly severe accident would breach the containment struc- 
ture leading to unattenuated release of gaseous and particulate 
radionuclides suspended in the contamment volume . Determina- 
tion of the probability and consequences of such extreme events is 
an important aspect of the safety analysis of commercial nuclear 
reactors [2-4]. 
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Confinement systemB, on the other hand, control the flow of 
effluents produced in a reactor accident so that they pass out of 
the confinement along prescribed pathways equipped with features 
to attenuate the release of radioactivity. The escape of gaseous 
radionucUdes — xenon, krypton, and especially, in the case of the 
production reactors, tritium — is accepted in return for assurance 
that even in a very severe accident there will be significant mit- 
igation of the release of all other radionuclides. The damage to 
health and property caused by release of these other radionuclides 
is thought to be far greater than would be caused by release of the 
gaseous radionuclides [5]. 

The confinement concept is acceptable in principle provided 
the confinemeLt has been designed to accommodate sufficiently 
severe reactor accidents (see the discussion of commercial reactor 
siting criteria in Appendix H). One advantage of the production 
reactors is that their site boundaries are distant from the reac- 
tors, so significant dilution of escaping, gaseous radionuclides is 
possible during an accident. There is no compelling evidence that 
mere adoption of the containment concept would substantially 
improve the safety of the production reactors. The confinement 
concept is equally viable. Indeed, there is much current interest, 
, particularly in Western Europe, in modifying the containments of 
some commercial nuclear power plants so that during severe re- 
actor accidents they would function much Uke confinements [6-8]. 
The "controlled venting of containments" was also proposed in the 
reactor safety study of the American Physical Society in 1975 [39]. 

It is in the implementation of the confinement concept at the 
production reactors rather than the concept itself that is cause for 
concern. These concerns involve the following: 

• Performance of mitigation systems in the production reac- 
tor confinements during severe accidents, 

• Capabilities of the confinement systems at the production 
reactors to sustain loads arising during severe accidents, and 

• Confinement of routine and accidental discharges of con- 
taminated liquid effluents. 

The last of these concerns is discussed in Chapter 2 and in Ap- 
pendi E. Concerns over the abilities of the production reactor 
confinements to mitigate radionuclide releases adequately and con- 
cerns over the ability to sustain severe accident loads are discussed 
here. 
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At both the Savannah River reactors and N Reactor, attenua- 
tion of radionuclide release is accomplished by a filtration system. 
The confinement systems at Savannah River are continuously ven- 
tilated through a filtration system during normal and accident 
conditions [9], The N Reactor system is more complicated. In the 
event of a rupture of the pressurized coolant system at N Reac- 
tor, the confinement system is depressurized through large relief 
vents. These vents are not equipped to attenuate the release of 
any radionuclides suspended in the effluent. Automatic closure of 
the vents and redirection of the flow through cells equipped with 
filters are controlled by timers. The timing sequence is based on 
hypotheses concerning large breaks in the reactor coolant system 
[10). 

In the conmiittee's view, it has not been clearly established 
that initial effluents produced during the course of an accident at 
N Reactor will be sufficiently free of radionuclides so that direct 
venting of confinement pressure w^H make no significant contri- 
bution to the radionuclide release fron* the f!ant. The various 
manipulations of flow in the N-Reactor cc ifinement were devel- 
oped by hypothesizing a particular acc.dent history, yet the com- 
mittee is unconvinced by the available analyses that all accidents 
will conform to this history. For example, accidents initiated by 
the rupture of a single pressure tube and involving core degrada- 
tion under pressure may not conform to the design hypotheses. 
Difficulties have been encountered with the timin% sequence for 
manipulating confinement flow for N-Re.ictor accident scenarios 
only modestly different than those used to -'es;gn the system [11]. 

Even if the confinement flow manipulations at N Reactor are 
satisfactory, questions remain about the ability of the filtration 
systems both at N Reactor and at Savannah River to mitigate 
radionuclide releases throughout an accident. The filtration sys- 
tems of both confinements have been designed with a radionuclide 
release in mind that conforms to the so-called "TID Source Term," 
[12] which involves the following assumptions: 



Radionuclide Release During an Accident 

Noble gases 100% (includes ^H) 

Iodine 50% (as I2) 

Other radionuclides 1% (as particles) 
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Based on this source term, the filtration systems at Savannah 
River and N Reactor have been constructed to consist of three 
elements: 

1. A demister to remove suspended water droplets from the 
effluent, 

2. A high-efficiency-particle-air (HEPA) filter to remove ra- 
dionuclides in particulate form from the effluent, and 

3. A charcoal bed to absorb gaseous iodine from the effluent. 

The designs have thus used the TID Source Term as a prescription 
of not only the magnitude of the overall radionuclide release during 
a severe reactor accident, but also as a prescription of the chemical 
and physical forms of the released radionuclides. 

Unfortunately, the TID Source Term was not formulated on 
a technical foundation that makes it suitable for the design of 
filtration systems. The TID Source Term was created at a time 
when very little was known about radionuclide releases during re- 
actor accidents. The source term was propounded as a supposedly 
conservative upper bound based not on factors important for the 
design of filtration systems but rather in relation to the potential 
consequences of radionuclide releases. At the time that this source 
term was propounded, the consequences of releases of iodine to the 
environment were thought to be most severe, so extensive release 
of iodine was hypothesized in order to compensate for ignorance 
concerning the release of other radionuclides. The gaseous form 
of iodine was prescribed based on a belief that this chemical form 
would be the most difficult to attenuate. 

Research on severe accident source terms has been extensively 
pursued in connection with the regulation of conunercial nuclear 
power reactors [2,3]. This research has shown that source terms 
produced during reactor accidents will be quite different than 
hypothesized in the TID Source Term. The following points are 
among the more important research findings: 

1. Iodine release from degrading reactor fuel will be nearly 
complete and may not be as iodine gas. 

2. Release of radionuclides in particulate form can be greater 
than the 1 percent release hypothesized in the TID Source Term. 

3. Nonradioactive materials in particulate form will make 
great contributions to the effluent produced in a reactor accident. 

Recently^ tests jf radionuclide release from heated fuel from 
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TABLE B.l Radionuclide Maaset in Production Reactor Fueli 
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the Savannah River reactors have been conducted [13], These tests 
show the following: 

1. Iodine release is nearly complete. 

2 Cesium, which in the confinement atmosphere will form 
particulates, is extensively released from overheated fuel. 

3. Iodine was found to deposit in association with cesium in 
the test apparatus as though the iodine were in the form of Csl 
rather than I3 gas. 

These findings are consistent with the findings of past tests and 
models of radionuclide release from metallic fuels [14-16]. Similar 
tests of radionuclide release from N-Reactor fuel have not been 
conducted, but are planned [17] . During severe accidents at N 
Reactor, the fuel will get at least as hot and will be exposed to 
thermal hydraulic conditions at least as severe as Savannah River 
reactor fuel [10], so similar results can be expected. These findings 
show iodine could be in the particulate form, Csl, rather than 
in a gaseous form (I2 or HI) and could collect on the filtration 
unit rather than the charcoal bed. But, of greater concern, release 
of significant amounts of cesium, present in some fuels in masses 
on the order of tens of kilograms (see Table B.l), substantially 
increases potential particle loadings on the filters, threatening 
their integrity. 

There are many other sources of nonradioactive aerosol parti- 
cles that could develop during an accident at these plants: 

• Particulates produced from the fuel and clad during heatup 
in steam. 
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• Smoke produced by combustion of organic materials within 
the reactor confinements [19], 

• Coke formation when mixtures of H2, CO, CO2, and H2O 
formed within the hot modeiator block of N Reactor cool [20], and 

• Boric ctcid produced by steam corrosion of boron carbide 

(211. 

Accidents at Savannah River that progress to tLe point at which 
core debris interacts with concrete [22] would yield formidable 
quantities of aerosols [23]. Accidents involving the U3OS-AI pow- 
der metallurgical fuel currently under development (see the dis- 
cussion of cermet fuel in Chapter 2 and in Appendix F) would 
generate significant amounts of nonradioactive aerosol if metal* 
lothermic reduction the U3O8 by Al occurs [24]. 

Analyses of the loading of particle filters during hypotheti- 
cal accidents at the Savannah River reactors and at N Reactor 
have not included considerations of nonradioactive particulates, 
whereas the contributions of nonradioactive sources to aerosols 
suspended in the reactor containment atmosphere are usually 
found in the analyses of accidents at conmiercial nuclear power 
plants to be overwhelmingly larger than contributions made by re- 
leased radionuclides [35]. These nonradioactive aerosob, together 
with greater than expected releases of radionuclides in particulate 
form, would threaten to clog and rupture the filters. If the filter 
system were to rupture, a large release of radionuclides from the 
production reactors could occur. 

Larger releases of radionuclides in particulate form might also 
place unexpected heat loads on the filter systems. The design basis 
for heat loads on filters at N Reactor assumes that only 0.1 percent 
of the core inventory of fission products that would be released in 
nonvolatile, particulate form will come to reside on the filters [10]. 

HEPA filters used in the production reactor confinements are 
quite efiicient at removing particulate material from gas streams, 
but they have limited capacities for handling particulate loading. 
The pressure drop across an HEPA filter increases approximately 
linearly with loading up to a critical value. As loading of the 
filter with particulates increases beyond this critical value, the 
pressure drop increases approximately exponentially with loading 
as shown in Figure B.l. Studies of a variety of HEPA filters suggest 
that filter loadings of 1.5 to 4.0 kg/m^ mark the onset of rapidly 
increasing pressure drop [25], which leads to failure of the filters. 
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PARTICLE LOADING (g/m^) 

FIGURE B.l Pressure drop across a standard American design HEPA filter 
as a function of particle loading [25]. 



This implies that the filters in N Reactor could austain loads of 84 
to 120 kg, at most. More conservative analyses by the contractor 
at N Reactor suggest that loadings of no more than 10.8 kg would 
be defensible [30]. 

Filter systems in the Savannah River reactors could sustain 
loads of 32-48 kg of particulates in each filter compartment. In fact, 
analyses of pressure drop data obtained following the source rod 
accident at K Reactor in 1970 suggest that loads no larger than this 
could be tolerated [26]. Data from this accident do, however, show 
that particulate may also be collected on the moisture separators, 
and the capacities and efficiencies of these devices as particle traps 
are unknown. 

At N Reactor, the mitigation of releases provided by the fil- 
ters would be augmented by confinement sprays. It is claimed that 
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sprays would remove no less than 98 percent of the particulates 
from the N-Reactor confinement. Upgrades for the Savannah River 
reactc^s would make sprays available for operator actuation [18]. 
Sprays ir commercial reactor containments are credited with high 
mitigation capabilities [2,3]. Confidence in the mitigative capabili- 
ties of sprays at the production resictors has been criticized by pre- 
vious reviewers [27]. Indeed, the analyses of spray capabilities at N 
Reactor must be viewed with some skepticism. The anaJyces were 
performed using a commercial reactor computer code (CORRAL) 
[28] that has been abandoned in the safety analysis of commercial 
reactcvs in favor of more sophisticated models [2,29]. Parame- 
terization of I le CORRAL code was based on tests appropriate 
for containment [31] rather than the once-through flow of the N- 
Resu:tor confinement. The analyses also hypothesized particulate 
sizes of 5 to 15 /tim. But the efficiency of spray decontamination 
of particulate-laien gases is a strong function of aerosol particle 
size, as shown in Figure B.2. Analyses for cormnerc\bl reactors, in- 
cluding core degradation experiments [2,3], and tl experience of 
the Chernobyl accident show that much finer particles, which are 
less easily removed by sprays, could form v-luring reactor accidents. 
Experimental and analytical work, using analyses that reflect the 
unique flow conditions that exist in the N-Reactor confinement, 
needs to be done to dete* nine whether the low collection efiicien- 
cies of the confinement sprays for small particle size aerosols would 
still yieM large factors of decontamination. These analyses should 
also tsJce into account that spray coverage of the N-Reactor con- 
finement is not uniform. If particle-laden gases bypass the sprayed 
regions, they will pass unattenuated to the filter systems. 

The filter systems used at both the Savannah River re2ictors 
and N Reactor are not especially strong. Pressure pulses sufiicient 
to rupture the filters are estimated to be 10 to 12 inches of water 
(0.5 psi) [9,30,37]. These estimates are consisteit with predic- 
tions found in the literature [34]. Such pressure pulses would be 
quite likely to develop in the course of severe realtor accidents. 
As discussed in Chapter 2, hydrogen combustion, which need not 
be intense enough to produce shock waves, could still produce 
pressure pulses sufiicient to rupture the filters and even the char- 
coal beds used for trapping iodine. Parametric calculations for N 
Re2u:tor based on the modest hydrogen generation rates of the hy- 
pothetical su:cideiit indicate the possibility of pressure pulses that 
threaten filter integrity [38]. inus, bulk rupture might render the 
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PARTICLE SIZE (urn; 

FIGURE B.2 Particle collection efficiencies for fog spray droplets at N Re- 
actor as funct ions of particle sise. (Calculations were made using models 
from reference 29. Droplet sise data are from reference 10.) 



confinement filtration system, if not the confinement itself, inca- 
pable of attenuating radionuclide releases. Bulk rupture caused by 
pressurization from a hydrogen deflagration or detonation might 
be especially troublescr.te since such an event could also cause de- 
posited, radionuclide-bearing aerosols to be resuspended [35,36]. 

NOTES 

1. The first use of the term **defense in depth" as applied to 
the safety of nuclear power plants seems to have been made 
in the period 1964-1965, when the Regulatory Staff of the 
Atomic Energy Commission was formulating the requirements 
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Appendix C 
Documents on Power Operating Limits at 
Savannah River Plant 

NATIONAL RESEARCH COUNQL 

2191 CjiiililiMi AowMt WMtmifWn. D C ]M1I 
COMUBSION ON PHYSICAL SOENCCS COMMISSION ON INCXNOMNC AND 

MATHEMATICS. AND HESOUHCtS TECHNICAL SYSTEMS 

COMMTni TO ASSESS SaFITV AND 
TECHM CAL SSUtS aT DOE REaCTOHS 



March 9, 1967 



The Honorable John S. Herrington 
The Secretary of Energy 
U.S. Department of Energy 
Washington, D.C. 20585 

Dear Secretary Herrington: 

On May 13, 1986, you requested that the National A :demy cf 
Sciences and the National Academy of Engii*eering form a ccmmittee 
to perform an assessment cf the safety of the Departjnent's ma^or 
production and research reactors. The Ccmmittee 's effort is 
underway, with a principal focus initially on the production 
reactors at Savannah River and the N-reactor at Hanford. I am 
writing m response to a request by Under Secretary Salg«do at our 
initial meeting that we bring any j^atters cf immediate concern 
promptly to the Department's attention. 

As you know, the allowable reactor power limits for the 
Savannah River reactors were decreased lact November based on a 
reevaluaticn cf the adecuacy of the emergency cooling systems m a 
severe loss cf coolant accident. As a result, the Committee has 
exajrmed wnether accop»:aDle fuel temperature is likely to be mam- 
tamed m sjcn an accicent. I ani writing to set out the Commit- 
tee's concerns cn tnis r.atter. 

Sasea cn interviews over several d&yz with Du Pont and DOE 
staff and tne review cf cocaTer.fs made available to tne Commit- 
tee, we are r.ot aole to conclude with confidence that significant 
core ca-Tiage wci.ld oe avoided if tnere were a severe loss of cool- 
ant accider.t wr.ile the reactors are cperatma at the currently 
establisned reajcsd power liirirs. In our vie*<:, the reactors 
sr.culd only ue cp'^ratc^ at power levels at which it can be con- 
vmcmciy de-ncns'^rated that 'mere will be adequate coolmg cf tne 
f jel ever tr.e entire duration cf tne transient. 

^e recoTTcnd tnat tne Department exarnne this matter imneci" 
atc_y and eotai^licr. aggressive co'^rse of action for the snort 
tcr- to ir,r-rc tr,o safety of the reactors m a severe Ics' zC 
cocldr.t LZzi:icT.i. :n f.is ccnr. . ^iicn, totn DOE anr DuPon: snculd 
crti-r. cr^'^rt ^-.--gio*? c^ida'^ce ar acvico cn the r>attcr m a 
•. . -rr.r^u:: a-:: M^ily iaz' ~zr.. Over tr.o 1 oncer terT, mrreased 
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The Honorable John S* Herrington 
March 9, 1987 
Page 2 



resources should be devoted to developing a more thorough under- 
standing of the behavior of the reactors in a severe lots of 
coolant accident. Finally, prototypic experiments more 
rigorous analyses should be undertaken to explore the pnenon^ena 
that affect reactor behavior in such a situation. 

The Committee will review this issue further and will discuss 
It \n more detail in its subsequent reports. 



Sincerely, 




Richard A. Meserve 
Chairman 
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Department of Energy 

Wftthmgnon. DC 20SSS 



Mxai 12, 1967 



Tht Dqsansnent has received your letter of f^ixti 9, 1967. J 
appreciate your early ejqpression of oonoem about the atequacy of 
cmrgency core cooling ■yetems, ahould there be a aevere loas of 
cooling accident at cne of the Savannah River raactora. 

J have aaked Aaaiatant Secretary Haxy ttolXer to eatabliah an 
action plan to exandne this natter as esqpediticusly as possible. 
To aid us in inderstanding your particular oonoems, it %c3uld be 
helpftjd if waiters of your comnittee could brief DOE staff as 
soon as possible. Mb. MhDcer will contact ^ to arzBnge Hie 
briefing. 

Yours truly, 




Joseph F. Salgado 
Under Secretary 



Richard A. Meserve, OtfazTtan 
Connittee to Assess Safety and 

Techruoal Issues at DOC Reactors 
National Research Council 
2101 Constitution Avenue, N.W. 
Washington, D.C. 20416 
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Department of Energy 



Washington. DC 20585 



May 5, 1987 



Mr. Steve H. Blush 
Study Director 

National Academy of Sciences 
Office 271 

2101 Constitution Avenue 
Washington, DC 20418 

Dear Mr. Blush: 

This letter responds to your telephone request to Marilyn Sirnth for infor- 
mation on the OOE's review of the power levels selected for the Savannah 
Rive" Reactors to meet the National Academy of Sciences' and the National 
Academy of Engineering's concerns expressed in Mr. Meserve's March 9, 1987, 
letter to Secretary Herri ngton. My office organized an effort under the 
leadership of W. W. Kinney, Acting Branch Chief of the Reactor Safety Branch 
in the Office of Nuclear Safety, who was assisted by a team of three inter- 
national experts in emergency core cooling. The team's report is documented 
in a letter dated April 6, 1987, from P. North, Manager, Nuclear Reactor 
Research and Technology, EG4G Idaho, Inc., to R. E. Tiller, Director, 
Office of Special Programs, DDE, Idaho Operations Office (see enclosure 1). 

Based upon the results of the team's assessment of the methodology used to 
establish the current permissible power level, we consider that the current 
operating power levels include conservatisms with respect to possible fuel 
damage In the event of a large break loss-of-coolant accident. The EH staff 
ilso had a number of recommendations (see enclosure 2) with respect to tlsa 
continuing analysis of the power limits for the reactors. These recommen- 
dations are being implemented by the Office of the Assistant Secretary for 
Defense Programs. We will be pleased to provide you or the committee with 
additional infomidtion as necessary. 



Si ncerel y . 
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Apnl 6, 1987 



Hr. R. E. Tiller, Director 
O'fice of Special ProgrMS 
Idaho Operations Office - DOE 
Idsho rails. 10 83401 

REVIEW OF METHODOLOGY USED IN SAFETY ANALYSIS OF THE SRL PRODUCTION 
RcACTORS 

Dear Mr. Tiller: 

Cn March 74 and 25. 1987. Hr. John Liebenthal and Dr. Victor Ranso* of 
EGftG Idaho. Inc and Mr. Kenneth Moore, of Scientech. ftccoapanied Mr. 
Uilliam Kinney, of DOE-EH. to Savannah River Laboratories for the purpose 
of reviewing safety analysis that had been used to set conservative 
operating power levels for the SRL production reactors. 

A suWMry cf the review with conclusions and recOMMndations is attached. 
The team agreed that the current operating power levels included 
significant conservatisms with respect to possible fuel damage m the 
event of a large break LOCA. However, significant uncertainties exist 
Mith respect to the cooling process under low ECCS flows. In view of 
these uncertainties, it is recoimended that the limiting case cooling 
analyses be completed and reviewed. Additional recoimiiendations are made 
relative to future efforts to quantify safety margins. 



a-nj 

Attachment 
As Stated 

cc W Kinne,. DCE-EH 
K Moore. Scientech 




P. North. Manager^ 
Nuclear Reactor Research 
-nd Technology 



^^E'GcG ..^. ^. PO Bom 1S35 tdmho Falls 10 9341$ 
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INTEROFFICE CORRESPONDENCE 



March 30, 1987 



To 



J. 0. Zane 



From J. L. Liebenthal, K. V. Moore, and V. H. Ransom 

Subject REVIEW OF THE METHODOLOGY USED IN SAFETY ANALYSIS OF THE SRL 
PRODUCTION REACTORS - Rans-18-87 



Introduction 

A technical review team consisting of Mr. John ^. Liebenthal and Dr. 
Victor H. Ransom, EG&G Idaho, and Mr. Kenneth y. Moore, Scientech, 
accompanied Mr. William Kinney, DOE-EH, to The Savannah River Laboratories 
on March 23, 1987 and met with SRL personr.*! on March 24 and 25, 1987. 
The purpose of our vi^it was to review the rationale used to analyze the 
response of the SRL production reactors to a large break LOCA. At the 
tine of the review, the reactors had been reduced to approximately 50% 
powtr levels as a result of safety concerns expressed by the National 
Academy of Science. The objectives of the meeting were to review the 
methodology used to establish the current operating power levels, to 
review the procedure proposed for establishing power levels for operation 
over a 90 day period, and to comment on the approach proposed for 
establishing higher operatng power levels to be implemented at the end of 
90 days. The findings and opinions of the EG&G Idaho and Scertech 
personnel are summarized in this report. 

The National Academy of Sc:enLC revew group had previously expressed 
concern with regard to the ability to cool the reactor fuel and/or target 
assemblies using emergency core cooling in the event of a 200% double 
offset shear cold leg break accompanied by an additional failure of one 
ECC circuit, i.e. only one of the three ECC cooling circuits is assumed 
available. The safety criterion that had been used to establish operating 
power levels, prior to review by the Nat-.onal Academy of Science, was that 
the maximum fuel temperature could not exceed the melting point of the 
aluminum cladding. The current operating power levels were set using a 
more conservative criterion that no net boiling would occur in any 
assembly, i.e. that the coolant outlet temperature would be 100 degrees C 
with no net steam production. This criterion was selected in order to 
avoid the possibility of counter current flow limiting (CCFL) at the top 
of the fuel and target assemblies, which Mas postulated by the National 
AcaJemy of Science as a mechanism that could lead to fuel heat up and 
damage. 
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System Oescnption 

A brief description of the Savannah River Reactors Mi11 be given here in 
order to facilitate explanation of the conclusions that are subsequently 
described. The reactors have aluminum dad enriched U235 fuel in the form 
of concentric cylinders. Each fuel assembly consists of three concentric 
cylinders that are approximately 4 inches in diameter and 12 feet in 
length. Target assemblies consist of two concentric aluminum dad 
cylinders of either U238 or A1*Li a11oy that are also approximately 4 
inches in diameter and 12 feet in overall length, but are made up of a 
train of 8 inch long slugs. The core consists of 600 fuel and target 
assemblies arranged in a hexagonal array consisting of a fuel assembly 
surrounded by six target assemblies. The fuel and target assemblies are 
both convectively cooled by circulation of the heavy Mater which also is 
the moderator. The heavy water is circulated through the core by six 
synmetrical 1y arranged coolant loops each containing a pump and heat 
exchanger. Three of the cooling loops include provision for injection of 
light water as emergency core cooling in the event of a LOCA. The 
topology of the cooling system is such that the coo1^ j water is 
introduced at the top on the reactor t^^ough a plenum and flows down 
through the 600 fuel and target assemblies and exits into the reactor 
tank. Pump suction lines a«*e attached at the tank bottom and the coolant 
is pumped through heat exchangers, cooled by river water, and reintroduced 
at SIX equally spaced circumferential locations into a distribution plenum 
that is 8.5 inches high and 10 feet in diameter. The reactor power level 
IS controlled by control rods that enter the reactor core from the top. 



Postulated Accident Scenario 

The postulated accident of concern is a large break LOCA in which one of 
the six reactor inlet cooling p^pes suffers a double offset shear break 
In particular, one of the three inlet pipes that contain ECC injection 
provision is assumed to break. Moderator/coolant is lost out the break 
due to draining of the upper plenum and due to pumping out the pump 
discharge line (there is little or no blowdown Since the reactor operates 
at low pressure). With one ECC system supplying coolant to the reactor, 
the system reaches an equilibrium condition after approximately one minute 
in which the tank level has dropped to a depth of approximately 18 inches 
and air from the tank is entrained into the pump suction lines (air flows 
into the reactor vessel through vacuum breaker valves). The mixture of 
Mater and entrained air (estimated by OuPont to be 5% air by volume) is 
pumped to the upper plenum where flow stratification occurs and water 
flows into the fuel and target assemblies as a result of gravitational 
head only. Water flows from the plenum out the broken inlet pipe and air 
will flow in or out the break depending on the amount of air entrained in 
the assembly coolant flows. Additional water and air are discharged from 
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the system out the broken pump discharge line. The point of minimum Mater 
level in the upper plenum, and consequently also the point of minimum 
coolant f1oM, occurs at a point between the break and the center of the 
core. Thus, the limiting assembly, i.e. the one Mith the greatest ratio 
of decay heat power to coolant f10M, also occurs nearby. The limiting 
assembly establishes the maximum reactor operating power level since the 
decay heat power is almost in direct proportion to the operating power 
level. 

There are two time periods after occurrence of a LOCA in wi«ich ability to 
cool the fuel and/or target assemblies is a concern. The first occurs in 
the 0 to 12 s time period and is the result of a coupled fluid-thermal 
instability in which fuel heat up occurs due to reduced coolant flow under 
conditions of net vapor production. The second period occurs between 40 - 
60 s after LOCA occurrence and is the point at which the decay heat power 
to cooling capacity ratio is a maximum and thus is the tint at which the 
maximum fuel /target temperature and coolant outlet temperature result in 
the limiting assembly. When the no bulk boiling criterion is employed, 
the most limiting condition occurs during this second period. Thus, most 
of the discussion in this review concerns the methods used to predict the 
coolant flow rate to the limiting assembly and the ability of the 
resultant coolant flow to effectively cool the assembly. 



Methodology Assessment 

The methodology that was used to establish the current permissible power 
levels is based on empirical and analytical estimates for the decay heat 
po««er, available coolant flow, and heat transfer conditions in the 
limiting assembly. The methods used to establish each of these factors 
will be discussed relative to the degree of conservatism that is 
included. The term "best estimate" is used in the sense that the most 
probable result would be predicted. The term "conservative" is used 
herein to Man more conservative than "best estimate." 

The decay heat power was established using the 1973 ANS standard which is 
a best estimate value. Present NftC practice is to obtain a conservative 
estimate for decay heat power is to use a 1.2 multiplier on the ANS 
standard. Less restrictive best estimate methods for decay heat power are 
currently under review by NftC, but are not yet approved. An additional 
difference between the SAL react'^-s and the basis for the ANS decay heat 
standard is that the SAL reactors treed Pu239 and contain fission products 
of Pu239 while the ANS standard is based on fission of U235. OuPont 
stated that they had looked at this effect and concluded that the ANS 
decay heat model was conservative. The method used to estimate decay heal 
power is a best estimate model. 
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The method used to establish the coolant flOM to the limiting a .mbly Mas 
based on empiriol data gathered in full scale tests of the reactor system 
with one coolant pump not operating. These data Mere used to establish 
flOM coefficients fo- 'he SRL FL00D84 code Mhich in turn Mas used to 
predict flOMS to individual assemblies under conditions other than those 
corresponding to the tes: conditions. This procedure does not include 
additional co.iservatisms to accou*'*: for variations due to data inaccuracy, 
effect of brea^ location on coolant loss, effects of uncertainties in .he 
amount of entrained air in the recirculated flOM, etc. Therefore, tnis 
model results in a best estimate prediction for the coolant flOM to the 
1 imiti ng assembly. 

The degree of conservatism of the method used to estimate the channel *to* 
channel flOM division and the associated cooling effectiveness is 
difficult to judge. The experl'-ental data taken on channel-to-channel 
flOM division had a very Mide scatter and a tMO-sigma low value Mas used 
even though lOMer values of flOM to the outermost channel Mere actually 
measured. The cause of the Mide dispersion in the measured flows Is not 
knoMn and could be due to experimental procedure o<^ a real effect. Thus, 
the use a tMO-sigma Iom value may not result in a conservative e5v -riate 
for the loM floM since approximately 60 assemblies are located in the area 
of low upper plenum ^evel. '''his exceeds the n imber of data points used to 
establish the two-sigr^a low limit and it is possible that the loMest 
measured flOM cruld occur. A more conservative estimate for the percent 
of assembly flOM going to the outer annul i would be the lOMest value 
measured, i.e. appr'^-^-ute ly 10% rather than 12%. The method that Mas 
used yields an estimate for the flOM to the outer channel of the limiting 
assembly that is betMeen a best estimate and a conservative value. 

The deg^*e of conservatism in the heat transfer calculation used to 
determiie the bulk temperature rise is also difficult to estima:e. The 
flOM in the outer annuli is undoubtedly significantly mal distributed in 
view of the wide scatter in the channel-to-channel flOM division. 
Maldistribution Mill result in nonuniform heat transfer in contrast to the 
uniform as$uR.Dt1on used m the cooling calculations. Fur a fixed coolant 
flow t-o the limiting channel, the most probable situation is that 
maldistribution Mill he present Mhich Mill result in locally higher will 
temperatures than would be the case with uniform heat transfer. Most 
likely, any energy not absorbed by the coolant in the limiting channel 
will be distributed to the other cooling channels by conduc on without 
excessive fuel temperature. However, heat trjnsfer analyses for the most 
limiting configuration, the MK31A tarqet asset bly, und^ - conditions of 
coolant maldistribution were no\, presented. The assumption of uniform 
heat transfer in the limiting channel yields fuel temperature estimates 
that are less conservative t^^.n a best estimate model that includes 
maldistribution. 
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Additional conservatism Mas added explicitly by reducing the maximgm 
operating power level determined gsing the no boiling in the limiting 
assembly criterion, by an extra 5% and through the use of simple power 
ratios established by a detailed limits analysis using th^ ir^^vogs no 
fuel damage criterion. DuPont estimated that an additioial 18 to 34 
percent in power margin existed as a result of this procedure. 



Conclusions 

In summary, review of the conditions under which the SRL produrtion 
reactors are currently being operated indicated that power marjr.s 
probably exist compared to a best estimate calculation of the limiting 
power. However, uncertainties with respect to the heat transfer process 
in the limiting assembly continue to exist. Specifically, uncertainties 
with r*spect to the heat tr sfer effectiveness in a channel that is 
greater than 90% void and u r condi* ns of circumferential coolant f low 
maldistribution. Neither -rimental cata nor detailed calculations were 
presented that demonstrate ?at co'^ling adequate to prevent local fuel 
damage is achieved. Relate eat ' ansfer studies on the ability of the 
fins on the MK16 fuel to cono ; decay heai between adjacent 

cylindrical fuel elements were p.ebented in order to support the 
contention that adequate cooling could be achieved. Mental extrapolation 
of these results to the case of a MK31A target assembly, in which assumed 
maldistribution of tht coolant would require the decay heat to be 
conducted ci rcumferential ly over approximately one half of the 
circumference of the target ring, indicated that clad melting probably 
jiM>u1d not occur. 

In our opinion, th^ analysis that has been made to support the current 
operating power levels contains ad hoc procedures, lacks consistency, and 
lacks derailed independent review. While we believe that the current 
operating power levels contain adequate conservatisms, based on the 
material presented by the DuPont personnel, we would not recommend any 
increase over thf current operating levels until a consistent analysis of 
tht: decay heat removal process is completed, documented, and reviewed. 



Recoffwe'^dations 

In addition to the corwenw^ that have been made, the following specific 
recommendations are offered: 

1. The mrchanifnjs that are respofsible for the large variation in 
tht measured channel-to-channel flow distribution need to be 
understood. In particular, some of the variation may be due to 
manner in which the experiments were conducted which Introduces 
Mnnectssary penalty. Conversely, if the observeo variations are 
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due in ':ome manner to the physical assembly, th<»n the minimum 
observed f1oM may bt real and M0u1d, therefore, be the 
appropriate value to use rather than a tMO-sigma Iom. 

2. The accompanying circumferential f10M distributions in the 
coolant channel need to be estabMshed or a worst case analysis 
needs to be incorporated into the limits analysis methoaology. 

3. A detailed conduction and convection heat transfer analysis of 
the fuel and target elements under conditions of assumed coolant 
maldistribution should be carried out as soon as possible. 

4. Sensitivity studies need to be incorporated into the methodology 
used to set power levels so that safety margins can be better 
quantified. 

5. An independent safety study should be undertaken by an 
independent team skilled In the methods used in LWR safety. 

6. The detailed analysis of plenum flows should be continued. 

7. Development of an integrated safety analysis capability based on 
existing LWR technology is strongly encouraged. The TRAC-BOl 
computer code is recomnended as a starting point since this code 
already has many of the modeling features needed to simulate the 
SRL production reactors. 






anager of Chemical and Process 
Engineering 




Kenneth V. Moore 
Scientech, Inc. 



Victor H. Ransom 
Scientific and Engineering Fellow 
Nuclear Reactor Research and Technology 



cc: 



R. L. Benedetti 
P. North 
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EH Review of Methodoloay Used by Savannah River Operations Office (SR) In 
M*»el1ng Ho BuU BclHnc Criterion in the SR Production Reactors 

S. R. Foley, OP-1 

Reference: Menwrandim from Hary L. Walker to Joseph F. Salgado, "Resolution 
of Concerns abcut Savannah River ^nergency Core Cooling Syste<ns,' 
dated April 1, 1037 

The purpose of this raenoranduo Is to present the conclusions and 
rccomcndatlons of the EH te3»n wtilch perfomed ar Independent review of the 
safety basis for the reduced power levels for the Savannah River Plant (SRP) 
productior reactors established bv SR to satisfy the "no bulk boll upon loss- 
of -coolant-accident (LOCA)" criterion. 

On M^rCi. 20 and 21, 1987, du Pont prepared, end SR approved, power levels 
Intend^fO to assure that no buU boiling of cncrgenc/ cooling water would occu 
under double ended plpt- brealt LOCA conditions with or.ly one of three ererqenc 
core coolino systens (ECCS) lines functional. On March 2A end 25, 1987, the^ 
subject review was perfomed by technical experts Or. V. H, Ranson and ^ 
Mr. J. L. Llebenthal of ECAG Idaho, and Mr. K. V, Moore of Sclentech, Idaho 
Fills, ard Teen Leader W. W. Kinney, of the Office of Nuclear Safety. 

Based uoon results of the tean*$ assessment of the «thodolosy used to 
establish the current pemlsslble power level, EH considers the current 
operating power levels to Include sone conservatisms with respect to possible 
fuel danage In the event of the large break LOCA. EH recor»»nds that any 
consideration of an Increase In power over the current operating levels be 
basrd upon the completion, documentation, and review of a consistent analysis 
cf the decay h*at removal process under the low ECCS flow which would be 
created by the oosign basis LOCA. Specific EH staff recomendatlons end -the 
letter and report prepared by the technical experts are attached. 

It Is requested that EJI be provided detAlled Information on the basis for any 
recomended consideration of an Increase in power levels for our review and 
concurrence. 

DISTRIBUTION: 
Subject 
EH-30 RF 
ONS RF 
NFSO RF 
Kinney RF 
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Assistant Secretary 
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Attachment 1 



EH Staff Reconmendations 



The following recormendation applies only to the estabHshnent of the power 
level limits based on the criterion of no bulk boiling. 

1. Have an independent group conduct a review of the technical bases for 
future Increases in the power limits which would comply with the no bulk 
boiling of emergency cooling water criterion. (See tean recommendation 
5.) 

The following four recomnendations, with appropriate scopes, apply both to: 
(1) the establishment of power limits based upon the c-iterion of no bulk 
boiling, and (2) the subsequent reestablishment of power limits based upon the 
Criterion of no assembly damage with limited boiling. 

2. Determine the mechanisms that are responsible for the large variation in 
the experimentally measured channel-to-channel flow distribution under low 
coolant flow conditions. (See team recommendation 1. for further Informa- 
tion.) 

3. Either establish the :ircumferential flow distributions in the coolant 
channel under the low flow conditions or incorporate a worst-case analysis 
into the limits analyiis methodology. (See tean recommendation 2. for 
further information. j 

4. Carry out detailed conduction and action heat transfer analysis of 
fuel and .arget assemolies under low coolant flow conditions with assumed 
coolant r. ' distribution. (See team recomnendation 3.) 

5. Incorporate sensitivity studies into tne methodology used to set power 
levels to permit better quantification of safety margins. (See tean 
recomnendation 4.) 

The following two recomnendations apply only to the reestablishment of power 
limits based upon the criterion of no assemoly dana^^e with United boiling. 

6. Have an independent group skilled in methods used ^n connercial light 
water reactor (LWR) safety analyses conduct an indept-ident study of the 
cooling process under the design basis LOCA conditions to verify the 

du Pont analyses. (See tean recomnendation 5.) 

7. Develop an integrated safety anal/sis capability based on existing LWR 
technology. Use the TRAC-BOI conpjter code as a starting t/Oint since this 
code already has many of t^e modeling features needed to simulate the SR 
Plant production reactors. (See tean reconnendation 7.) 

IH aKo supports the continuation of tne detailed analysis of plenun flows 
currently b«>ing conducted by du Pont. (See tean reconnendation 6.) 
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United States Government 



Department of Energy 



memorandum 



o*Ti APR 2 4 1987 

ATTuw. EH-332.1 

ONS Review of the Savannah River (SR) Action Plan to Respond to Concerns 
About Emergency Core Cooling Systen Capability of SR Production Reactors 

^ t2barles 0. Siipson, OP-13 

On April 16. 1987. you provided to the Office of Nuclear Safety (ONS) for 
our review a copy of a draft of DuPonfs "Action Plan to Respond to 
Concerns About SR Dnergency Core Cooling Capability" dated April 14, 1987, 
which was sent to John t. Melnhardt, DP^IO, by R. L. Morgan, Savannah River 
Operations Office, for concurrence. Under the leadership of W. U. Kinney 
of my office, we put together a team of ECC experts Including Or, V. H. 
Ransom and Mr. J. t. Liebenthal of EG&G. Idaho, and Or, L. J. Ybarrando and 
Mr. K. V. Moore of Sclentech to review the DuPont action plan. 

These gentlemen were familiar with the concerns about the capability of 
the emergency core cooling systems (ECCS) of the SR production reactors. 
Or. Ybarrando participated In the EH Design Review of the reactors In 
November 1986. and reviewed the design and analysis of the ECCS. Dr. Ransom 
and Messrs. Liebenthal and Moore on March 24-25. 1987. assisted ONS in 
reviewing the methodology used by SR In meeting the "no bulk boiling of 
emergency cooling water upon LOCA" criterion Imposed by Under Secretary 
Salgado on ^zrch 20. 1987. 

In order to meet your requirenents for comments by COB on April 24. 1987. 
we have attached an advance copy tne -^eport resulting from the review of 
the DuPont action plan. The comnents are substantive, and we request that 
the plan be appropriately revls'/d In conslderaticn of the comments. We 
conclude that the action plan does not provide a clear definition of the 
objectives, strategy, and details needed to provide a well planned and 
executed solution to the current ECC questions. We underscore the 
recommendation that further developnent of the action plan be assisted by 
individuals experienced In resolving similar problems. 

As previously mentioned, on March 24-25. 1987. Dr. Ransom and Messrs. 
liebenthal and Moore, along with W. W. Kinney of ONS. reviewed the 
methodology used by SR in meeting the "no bulk boiling of emergency cooling 
water upon LOCA" criterion. The EH staff recommendations which res-/ ted 
from this review and the report providing the team's conclusions and 
recommendations also pertain to the action plan and should be considered ?ri 
any revision of the subject action plan. These are being transmitted 
separately relative to the selection of the current power levels. However. 
In order to facilitate actions on the subject action plan, we are attaching 
copies of these doci^ents. 
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With regard to the SR "ECS tetlon Plan/OOE Overview Activities." which mi 
Included Mith the DuPont action plan. ONS wants to reinforce SR's Intent 
to have Independent groups conduct reviews of the technical bases fbr any 
considerations of future Increases In power liaits under the action plan. 

Thank >ou for the opportunity to rtvlew the^subject fCtJfbn plan. 




Robert U. B#tber 
Director 

Office of Nuclear Safety 
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21 APRIL 1987 



Mr. R. E. Tiller, Director 
Office of Special Programs 
USOOE 

Idah3 Operations Office 
Idaho Falls, Idaho 83401 



Subject: Review of Action Plan for Savannah River ECCS, YBR-253-87 



Dear Mr. Tiller: 

A^ requested. Dr. V. Ransom and Mr. J. Liebenthal of EG4G, Idaho and Mr. K. 
V. Moore and I of SCIENTECH have reviewed the Savannah River Action Plan on 
severe LOCA transient uncertainties. Particular attention was placed on the 
actions planned by Du Pont for the ECCS related technical issues. 

Our team evaluation of the action plan Is contained in Attachment 1 to this 
letter. 

If we can be of any further service in this important matter, please contact 



Si ncerely. 



L.J. Ybarrondo, PhD 
President 



cc: Mr. R. D. Lease, OOE-IO 

Mr. R. U. Barber, DOE-HQ 
Mr. J. 0. 2ane, E6AG, Idaho 
Dr. V. Ransom, E6A6, Idaho 
Mr. J. Liebenthal, EG46, Idaho 
Mr. K V. Moo-e, SCIENTECH, Inc. 
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ATTACH. 1 TO YBR-253-87: SRP ACTION PLAN 4/23/87 
1.0 Introduction 

The team was asked to evaluate a 14 April 1987 draft entitled, "ACTION PLAN 
TO RESPONO TO CONCERNS ABOUT SR EMERGENCY CORE COOLING CAPABILITY V The 
subject action plan presents a program to resfwnd to concerns about the 
effectiveness of emergency cooling following a severe LOCA In a Savannah 
River Plant (SRP) production reactor. These concerns were expressed by the 
Design Perfomance Review team In Novenber 1986 and the National Academy of 
Sciences SRP review panel In a March 9 letter to Secretary Herrlngton. 

The Design Performance Review team noted that the accident analysis tools fn 
use are outdated and reconmended they be completely modernized Immediately. 
Further, If the ongoing PRA showed that the ECCS was a critical component of 
safety risk then the ECCS should be tested In the C reactor or another 
suitable place. The National Academy of Sciences review panel stated, " We 
are not able to conclude with confidence that significant core damage would 
be avoided If there we^e a severe loss-of-coolant accident while the reactors 
are operating at the currently established reduced power limits." The 
conclusions of both panels are similar. The subject action plan is Intended 
to address the above concerns. 

The power of the SRP reactO'"S was restricted further on March 20, 1987. On 
March 24 and 25, 1987, Or. Victor Ransom, Mr. Kenneth Moore, and Mr. John 
Liebenthal, along with Mr. Uilllam Kinney of Environment, Safety, and Health 
(OOE-HQ) reviewed the methodology used in the safety analysis that was used 
to set the power levels. SRP'S plan Is to develop more accurate methods, 
improved analysis and data, and to verify and use other criteria In order to 
raise the power levels. The current review team, who all participated In 
previous reviews of the SRP safety methodology, were asked to review the 
duPont action plan on April 21, 1987. 

The scope of the review of the action plan encompasses the plan objectives, 
proposed methodology for accomplishing objectives, plan organization, 
schedule and resource credibility, evidence of planning depth, evidence of 
management commitment to the plan, assessment of requisite technl.cal depth 
and understanding of the technical issues. In the several days available fo^ 
this Initial review, the team's evaluation Is confined to a top level of 
scrutiny. We believe this is adequate to assess the action plan presented. 

The methodology used by the team to review the action plan was to 
have each team member concentrate In the area(s) of his expertize. During 
evaluation of the action plan each team member, as appropriate, considered 
the following classes of attributes to determine if the action plan 
adequately addresses these important attributes: Safety, Operations, Design, 
Costs, Regulatory Requirements, and Administration. 

There are major subdivisions that one can consider within each class. 
However, it was not necessary to delve Into that level of detail for the 
summary action plan presented. 




151 



2 



1.1 Organization 

The subsequent portion of this report has been divided into two major 
sections. Overall comments on the action plan are presented in Section 2 0 
and specific technical comments are presented in Section 3.0, In eacS 
section, the comments are referenced to the relevant section of the ac-'ion 
plan as appropriate. 

2.0 Overall Comments 

2.1 The need that duPont feels to increase the power level of the reactor as 
expediously as possible Is understood by the team. However, the team 
believes that the effort to resolve the concerns about the ECCS and related 
issues IS being diluted by mixing in the L'3e to increase power with the 
safety concerns. In other words, the concern about the performance of the 
ECCS and related safety issues is the cause of the power reduction. Resolve 
the cause of the problem and the symptom, power reduction, will be resolved 



2.2 The problems cr concerns to be resolved by the action plan are not 
clearly and explicitly stated. We suggest that the authors of the action 
plan clearly and explicitly enumerate the concerns to be resolved and confirm 
with the groups expressing them that there Is agreement on the conce'-ns to be 
resolved. This will help to minimize misunderstandings and open-loop 
research, focus the issues to be resolved, and aid In confirming when 
resolution Is accomplished. 

2.3 The overall and supporting objectives are not clearly stated. We 
suggest that the authors of the action plan concentrate on defining and 
stating these such objectives clearly and succinctly. The credibility of the 
Performance Requirements and technical specifications for the resolution of 
the concerns expressed about the ECCS and related Issues will follow directly 
from how well the objectives are formulated. 

2.4 The action plan Is really not a plan so much as it is a list of tasks to 
be accomplished in order to achieve higher reactor power. For example, the 
action plan is a start but It Is not specified adequately as to performance 
requirements, and related technical specifications. Further, the Information 
requirements for and Interrelationships between the various supporting 
analytical and experimental tasks Is absent. 

2.5 The "PROGRAM ELEMENTS" described in the APPENDIX to the action plan are 
an Initial step. However, the review team believes that, in general, it is 
not possible to assess the credibility of the p.-ogram elements presented 
because: 

-times for critical tasks such as element 4.2, are underestimated; 

-material resources essential to accomplishing a task such as coTiputer 
dollars for element 4.3 are absent--they may be quite substantial; 
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-consistency between prograa eleineot definition varies; 

•responsibility for progrw element perforaance appears to be assigned to 
several Individuals which. If true, would not be proper; 

-the sequencing between sone program elements does not seem logical. For 
example, see program elements 3.1 and 4.2. Normally, one would select models 
to be validated before designing and conducting experiments. Perhaps there 
Is an explanation for such sequencing. If so. It would be good to state It. 
Unless a fu11 demonstration test on the SRP system Is contemplated. It Is 
Crucial that the analysis and experimental efforts be closely integrated In 
order for the plan to be credible. 

2.6 It ^uld be beneficial In evaluating the overall credibility of the 
action plan if a statement on the overall scope, manpower, and resources 
required are given. 

2.7 The review team believes it is essential that a comprehensive 
independent safety assessment take place. This means a separate group of 
analysts should be used to literally conduct the Important analyses and 
independently verify the duP'^nt work. 

2.8 A comprehensive, integrated system transient analysis should be 
developed. The current lack of such an integrated capability Inhibits the 
ability to properly identify and and assess the importance of Interrelated 
physical phenomena. 

2.9 In sunmary, the action plan is recognized as a reasonable start in the 
short time in which it was developed. At this point , the action plan is not 
yet well defined or Integrated. If used In it: present state, the objective 
duPont desires to achieve may be accomplished inefficiently or, worse yet, 
not at all. We suggest that use of some personnel experienced in resolving 
the subject concerns in the further development of the action plan will be 
beneficial . 

2.10 The review team was asked to comnent on whether the action plan was 
suitable for presentation to the Advisory Committee on Reactor Safeguards 
(ACRS). Of course, we cannot presume to speak for ACRS. But, based on our 
experience in making presentations before ACRS and In acting as consultants 
to ACRS» we suggest that the action plan needs improvement as suggested 
a!>ove before a presentation to ACRS would be worthwhile. 

3.0 Technical Comments 

3.1 General Technical Comments 

In general, the program elements are useful in working toward the evaluation 
of the LOCA accident and reducing its effects. The system improvements that 
are proposed are the most useful in that they could produce Improvements In 
safety margins whether or not the margins are now acceptable. 
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There Is not enough detail In many of the program elements to assess whether 
they are well directed toward their objective. Some of our deUlled comnts 
address desirable aspects of the program elements that are not explicitly 



It Is not apparent from the plan how the Best Estimate procedure for safety 
analysis as opposed to the Conservative approach Is to be Implemented. The 
plan seems to contain elements of both approaches and we believe it is 
necessary to lay out the philosophy of the approach to be used before a 
comprehensive supporting plan can be furmulated. 

The plan addresses the Issue of ECCS Performance Criteria when the limits are 
based on core damage, but It Is our opinion that the current criteria of no 
bulk boiling also requires added quantification. Specifically, the 
permissible fuel /target temperatures that are acceptable under conditions of 
coolant maldistribution require specification. 

From an overall viewpoint, the plan makes several references to single phase 
conditions during the LOCA transients. While the coolant remains in a liquid 
state below the boiling point, it is c jmpletely misleading to assume that 
this no boiling criteria "..approach simplifies considerably the transient 
analysis..". During the majority of the LOCA transient, the reactor systen 
is composed of some quantity of air mixed in some manner with the coolant. 
This multi -component composition of the cooling fluid is in most aspects at 
least as difficult a problem to analyze as are the steam-liquid water 
conditions in coimnercial power plants. Multi ^component coolant composed of 
non-condensable air mixed with liquid heavy water presents a high degree of 
difficulty in transient fluid flow and heat transfer analysis. 

The plan conUins several elements that address the early stages of the 
accident, the flow instability phase. This was not discussed in detail in 
the last review. The effect of system variables on flow Instability and 
recovery should be detailed in support of the elements. 

In certain cases, it may be better to consider doing subscale experiments 
rather than or in addition to detailed analysis. A particular case that 
illustrates the point is the distribution of levels and associated assembly 
flow rates in the upper plenum. Sub scale experiments could be used to 
assess the levels and flows under prototypical conditions, including assumed 
break geometries. It is quite possible that such tests could be performed in 
a Shorter time, at less cost, and with greater resultant credibility than for 
detailed multidimensional calculations. In this way transient conditions 
could be addressed as well as the steady state flows. In any event such 
tests would provide more comprehensive assessment of the analytical methods. 

A key point is that perhaps the most Important factor as far as enhanced 
credibility of tne safety analysis, that Is an Independent safety assessment 
effort by personnel skilled in LWR safety analysis. Is not addressed in the 
reference plan. 
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3.2 Technical Coments-subtasks 

Detailed comnts on program elements, listed by program element number 
follow. Only those elements on which we have comments are listed. 

1. 1 Performance Objective of ECS for Hypothetical LOCA 

This Is desirable. Outside resources should include a representative from 
NRC. 

2.2 Annular Flow Distribution Measurements 

The purpose Is to improve the understanding of low annular flow distributions 
for heat transfer to the coolant. These are unheated tests and while 
certainly needed, the additional aspect of high void heat transfer Is also 
needed. 

This element tests two hypotheses, tank level and spider orientation, for 
maldistribution. These tasks are complete, and if a thorough understanding 
of the sources and the error bands on the flow distribution has not been 
achieved, more work should be done. The circumferential and temporal 
distributions should be determined. The nature of the data scatter, whether 
it is statistical or phenomenologlcal should be determined. This is 
necessar/ to resolve whether a statistical bound or a phenomenologlcal lower 
limit for flow must be used. 

2.3 Decay Heat Power Analysis 

See proposed MRC regulations for methods on treating uncertainties. 
2.4 Review of Experimental Bases for FLOOD 

The stated benefit of "Confirmation of steady-state results.." is not 
necessarily compatible with the goal of obtaining "..minimum ECCS flows..". 
Transient conditions may result in zero flow on a temporary basis. 

2.5 Polybor Temperature Effects on Limits 

If the polybor temperature represents a major determinant of reactor power, 
we would like to uiiderstand more about it. 

Iter 3. Assembly . jOw and Heat Transfer 

The "enhanced understanding" of heat transfer and hydraulic characteristics 
should also Include the effects of multi-component coolant in addition to 
bulk boiling. Aa^cibly heat transfer with air water mixtures during the 
reflood phase may lOt be amenable to the use of existing correlations. The 
program should Include verification of the heat transfer correlations used 
during the reflood phase. If there is not sufficient data presently to 
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assure that the correlations are accurate, then heat transfer tests should be 
perfonned with heated assemblies and accurate simulation of the 
air/water/steam conditions in the reflood phase of the LOCA 

3.1.1 Annular Coolant Flow Maldistribution 

See comment on element 2.2. The element is essential to assessing the safe 
power regardless of the other elements. It is presumed that this is the 
element that contains the Steam Induced Diversion of ECCS that concerned the 
NAS panel. Solution of that concern deserves more description. 

3.1.2 Assembly Component Changes 

This Is desirable both for ECCS and for flow instability, and may be useful 
for other limits that impact pressure boundary integrity. Without a 
statement of the ECCS modifications, we can not comment on the specific 
approach. 

3.2 Flow Instability and Recovery Experimental Studies 

If there is serious uncertainty about the mechanism of flow Instability, this 
' an important element. 

3.3 Analysis of L Area Tests 
What is this element? 

3.4 Plenum Distribution Measurements 

The fluid behavior In the upper plenum Is obviously very complex due to the 
mass of internal hardware and the unique geometry of the plenum. Most of 
duPont's analyses have been based on water distributions within the upper 
plenum that were determined in experiments somewhat similar to the conditions 
to be expected during a LOCA» but the data Is for steady equilibrium 
conditions that probably would not be present during the early time periods 
(tens of seconds) of an LOCA. It is not unreasonable to imagine that the 
water in the plenum would be distributed In a somewhat chaotic manner of 
splashing and surging around the plenum thus creating a condition of 
temporarily uncovering various assemblies. The total inv_itory of water in 
the plenum Is such that the central region only has two inches of coolant 
covering the entrance ports of the hot assemblies on an equilibrium basis. 
It is easy to speculate that the depth could vary significantly in transient 
conditions. 

We believe that it Is important to understand transient effects In the plenum 
and their Impact on predictions derived from steady state tests. It should 
look at gas and vapor deentrainment, at "sloshing" in the plenum, and at 
channel vapor flow and pressure transients. The determination of transient 
flow distributions In the plenum are very important and experimental data for 
this Is deemed necessary. 
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3.5 Pump and Heat Exchanger Performance During U)Ca 

The task should also Include any Information needed to define the flow rates 
through cavltating pumps and system components. This will require :«»rp*'il 
evaluation of the system codes that are used. 

4; Computational Assessment of Severe LOCA 

The statement "The calculations will be normalized to the experlmertal data 
Is an oversimplification. Calculations shoul be qualified and verified 
with experimental data. If significant disagreement exists, the cause should 
be determined and corrected. 

4.1 Deter^lijo i^est-Estimate Computer Codes 

The computer coaes should handle the non-condenSf le mixture oi ui^ and 
water. This technical aspect is available in several codes, but .t ihould be 
recognize'' that the incorporation and verification/qualification of 
non-condensables in these codes has "'-ver reci. 'id ma^or attention. 

4.2 Determine and Implements Model Improvements 

The models for flow instabilitv will need particular emphases. 

4.3 Verify and Validate Computer Codes an*. Models 
Here technical detail is obviously missing. 

4.4 Perform Best-Estimate Calculations for SRP Reactors 

This element should include the sensitivities necessary to derive bounding 
cases fron the best estimate calculations. 

4.5 Validate and Peer Review Resul*' of Calculations 

Confirmatory analyses should be performed as a part of the objective of 
ensuring accuracy. 

5.0 Credibility of Coolant System "freaks in SRP Reactors 

This tota^ element, "Credibilfty of Coolant System Breaks in SRP Reactors" , 
is more thsn that. It seems to be seeking a credible break scenario and its 
thermal hydraulic cof. equences. This seems primarily to be aimed at tne 
early, flow instability phase of the LOCA transient, and only ruling out 
large pipe breaks would seem vo affect the ECCS part of the tra'^'^ient. If 
this is a primary objective, however, it is not well described. 

This is a valid area of study. It should remembered that commercial 
reactors have expended much study on these p.roblems. The low pressure and 
the low stored PV energy in the syst-^m may make tnis effct more meaningful 
for SRP than for high pressure systems. The consultants Hsted seem well 
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siMted to t*>e problem. However » they may not be expert on some of the 
concerns listed below. 

'ihe comments w previously hcve made about sensitivities and the need to 
understand them are particularly valid here, where rapid, transient f'ow and 
pressure effects are Important. The effect of small variations may have a 
large effect in the course of a flow instability event. The dynamics of 
crack opening rnd local flow and precsu/"e effects that Interact with the 
opening are important in determining the system effects and are likely to 
have a large error band. The error band must be bounded to validate the 
predictions. 

If such rapid failures are used as a basis for an accident analysis, the 
system codes may not simulate well the system behavior. Waterhammer effects 
shoulQ be considered if this mechanistic approach is followed. Dynamic loads 
on compc « such as the plenum should be evaluated. Pipe whip effects 
should evaluated. Specific comments on the elements are as follows: 

^ 1 Dynamics of a Double Ended Pipe Break 

We Interpret this as trying to derive flow and pressure input to a LOCA from 
€. complete shear. We presume *hat a part of this is to determine the 
likelihood of suc<i an event; the major element title suggests it, but none of 
this element describes it. Inasmuch as this event Is what commercial 
reactors assume, pr1m> facie, this should be addressed direcily. Other 
effects of a double ended break described above should be considered. 

b.2 Dynamics and probability of a Hinged Pipe Break 

Se€ above. 

5.3 Pipe inspection and Repair 

This seem? to be the ex1'*'n3 program except for t^"? item. "C*^aracterize 

p ,ent1al failure locatio ' With .-espect to the present program, 

previous recommendations about use of Sertion 11 of the ASME Code apply, and 
we presume that Mr Bush will assist in assuring this. 

With respect to failure location, certainly the^'e are different probabilities 
. -e psi portion of the pipiny than in the high pressure side, and other 
faw jrs apply. If the LOCA approach is to be abandoned in favor of a 
specified location, it is inappropriate to assume on'y the most likely 
location, and pipe breaks that are representative Oi a full spectrum of 
breaks above some minimum probability must be represented in the araly^'S. 
The object^ves thus must define this min!,ium probability. 

6.1 Install Fourth F.CS Addition System in L " and K Areas 

Installation of additional ECCS capacity shouio have high priority inasmuch 
as it has the clearest probability of successfully resolvii^ the concerns. 
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6.2 Development of Leak Flow Restrictor 

This is unclear; is the objective to reduce initial break flows, or to hold 
ECCS water in the plenum. The letter objective seems more feasible and 
useful. The added risk potential is also obscure. This is hard to judge 
without a concept. 

The Impact of these type of design changes on accident scenarios other than 
0E8 LOCA should be evaluated. If the design change is a flow restriction, 
then high pipe velocities, and consequent erosion, choking, and flow 
tra/isients and their effect on other accidents, system integrity and dynamic 
loads is a concern. If it is a check valve or similar device, it is capable 
of failures and waterhammer events that are new accident initiators. If it 
is a weir or similar dam for ECCS water the flow restrictor comrents apply, 

7.3 Expert Review of ECS Program 

As mentioned above, detailed peer reviews and validating analyses are 
desirable besides the expert review. 

7.4 Revise Procedures and Training for ECS System Modifications 

Besides the training on the fourth addition system, a detailed review of the 
procedurss with respect to system interactions and effects of other operator 
responses is warranted. 

7.5 Update Predictive and Preventive Maintenance Program for ECS Equipment 
The relation of this item to the program is unclear. 
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EXECUTIVE SUMMARY 

The Savannah River laboratory (SRL) has initiated in aggressive program of 
improvement acnviues to extend its capability to analyze the response of the Savannah River 
Plant (SRP) reactors to a h>'pothetical, worst case loss-of-coolant-accidcni (LOCA). SRP has 
also initiated aggressive program to modify the reactor systems to improve their response to 
a severe LOCA. The goal of these programs is to significantly strengthen the technical basis 
for safe operation of the SRP reactors at fuli power levels. 

The programs entail improvements on four paralleL but inicrrtiated, fronts. 

• Dc\clopmcni of a set of improved calculaiional Tools for establishing the technical basis 
for safe operation of SRP reactors givrn the reactor design and the postulated LCK^A 
conditions 

• Enhancements to the cxpcnmenial data base to support analysis of postulated LOCA 
conditions and to bcnchiiiark the computer codes used m the analysis 

• Esiabhshmcnt of a more ph>sicall> meaningful and credible technical definition of the 
po^'ulatcd sc\fre LOCA than the hxpoiheiica!. instantaneous double-ended guillotine 
break nou imposed on t- anaI\S!^ 

• Modifications to the eme:genc> cooling s> stems (founh emergenc> cooling addition 
svsicm). to the reactor h>draiihc s>siem and to the fuel/target assemblies to improve fhe 
reactors abuiT> to re^^Dond to tne postulated LOCA 

Dci:i 'c:^ !a:'KS and their intrrrclaiiorAhip^ are defined in the Acnor Plan for each area of 
c^.prON emcnt 
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Since SRL and SRP arc moving expedioously on four parallel fronts, improvements 
made in one area can obviate the need for. or imponance of, inqm>vements in another area. 
The program of inteirelated activities provides the programmatic options necessary to 
accomplish the dual goals of protecting the public health and safety while esublishing 
appropriate power levels. 

Figure 1 indicates the key anticipated decision points corresponding to major 
improvement milestones. As these decision points arc reached. th<? improved technical basis 
k^d proposed new power limits will be independently reviewed and approved prior to increases 
in reaaor power. 

The projected milestone^ .nown ui Figure 1 include 

• Improvements in the calculational tools and expenmcntal database to establish and 
validate the technical basis for setung power Limits will be developed initially for 
conditions ,>M allow no bulk boiling (NBB- 1 , NBB-2 ) and subsequently for conditjo* s 
that assure a maximum cladding temperature is not exceeded that would impair core 
cooling (MAXST- 1 ) These major milestones are discussed m detail in the Acuon Plan 

• Installation of a 4ih ECS addiaon system at L rcac or and subsequent insiallanon at P 2nd 
K reactors. 

• Esiablishmen: of deieci beforr break prop-am (DBB i and re-defi'^mon of the posruli'.ed 
uuDating LOCA 

• Additional modificaoons to the rtaciur complex and fuel/target assembl> designs 

The tasks in the Action Plan have been divided into a few major time phases associated 
with the planned improvements in the calculaoonal and expenmrntal models Tasks associated 
^iih the near term phases have been defined, planned, and scheduled in detail As these tasks 
are completed, the qualit>' of the information n. cessan to define, plan, and schedjie the 
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iinproveinents included in the later phases will increase and will be usee to assess the 
^xprophateness of currently planned improvenaents. A summary of the intciTtlatHniships of 
these tasks is shown in Figure 2. Subsequent revisions to this Plan will reflect the information 
generated and deCiSions made during tne earher phases 
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Appendix D 
Aging: Technical Discussion 



The Savannah River reactors were constructed in the 1950s. N 
Reactor began operation in 1963. The committee has been unable 
to ascertain the lifetimes projected for these reactors when they 
were designed, but conventional practice [1] would suggest they 
were designed for liMimes of 20 to 40 years. It is evident, then, 
that the reactors are approaching the end of their original design 
lifetimes. Both the Savannah River reactors and N Reactor are 
now encountering material aging phenomena that pose ^ /oblems 
for the long-term operation of these reactors. 



STRESS-CORROSION CRACKING AT THE SAVANNAH 
RIVER REACTORS 

The primary system boundaries of the Savannah River re- 
actor systems are constructed of type 304 stainless steel, which 
by today's standards contains relatively significant amounts of 
carbon — 300 to 800 ppm. When the power of the Savannah River 
reactors was increased in the 19608, it was found necessary to 
acidify the D3O moderator and primary coolant with nitric acid 
(deuterium ion concentration = 10'^ molar) in order to inhibit cor- 
rosion of the aluminum fuel cladding and to avoid contamination 
difficulties caused by corrosion products suspended in tiie D2O [2]. 
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To prevent radiolytic decomposition of nitrate ions, which would 
cause attack on the aluminum fuel cladding, it was found neces- 
sary to operate the reactors with 0.5 to 2 ppm oxygen dissolved 
in the D2O [3]. This dissolved oxygen augments the oxygenation 
provided by 1-3 ppm deuterium peroxide formed in the D2O by 
the radiolytic reactions: 

D2O D OD 
2 0D — D2O2. 

These high oxygen concentrations contrast with oxygen concentra- 
tions of about 20 ppb sought in commercial boiling water reactors 
[4]. The high oxygen concentrations make sensitized regions of the 
high carbon-content stainless steel susceptible to oxygen-induced, 
inter granular, stress-corrosion cracking [5]. Welding is the most 
common mechanism for sensitizing stainless steel to stress corro- 
sion cracking, and the Savannah River reactor piping systems and 
vessels employ welded constructions. 

Cracking, believed to be intergranular stress corrosion crack- 
ing, was detected in the so-called "knuckle" region near the base 
of C Reactor (see Figure D.l) in 1967 [6]. Evidence of stress 
corrosion cracking has been observed m nozzles of the R and L 
reactors and an effluent line in C Reactor [6]. A recent inspection 
of 794 welds in the piping systems of the Savannah River reactors 
identified 53 instances of cracking believed to be caused by stress 
corrosion. Cracking of the reactor system becomes a major safety 
hazard only if the cracks or flaws grow sufficiently that they prop- 
agate rapidly under the loads of normal or abnormal operations 
and cause catastrophic failure of the system. In this regard, the 
possibility of catastrophic failure of a reactor vessel is the principal 
concern. 

Cracking in the piping, system may be corrected — and in 11 
instances is being corrected — by replacing the affected pipes. Re- 
placing *he reactor vessels, however, has been deemed infeasible. 
Repair of cracks in the reactor vessels is proving to be a techno- 
logical challenge. In 1968 patches were welded over cracks in the 
knuckle region of C Reactor [7]. In 1984, leakage in the heat af- 
fected zones of these welds was detected. The pinhole leaks io.ind 
at the perimeters of the patches were attributed not to stress cor- 
rosion cracking out to the accumulation of helium bubbles that 
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FIGURE D.l The ''knuckle" region of the C Reactor and leaks caused by 
oxygen-induced, intergranular, stress-corrosion cracking. 

had formed an interconnected porosity at grain boundaries in the 
heat affected zones of the welds [8,9]. The helium is formed by the 
following sequence of nuclear reactions: 

^^\i + n - ^^Ni 



In the knuckle region, the helium accumulation is thought to be less 
than 10 atomic ppm [10]. In other regions of the reactor vessels at 
Savannah River, accumulations in excess of several hundred parts 
per million are expected. Welding in these areas of high helium 
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concentrations could be expected to be more prone to leakage than 
in the knuckle region. 

TREATMENT OF THE STRESS-CORROSION CRACKING 
PROBLEM AT SAVANNAH RIVER 

Stress-corrosion cracks have caused C Reactor to be removed 
from service, apparently permanently. The extensively cracked 
knuckle region is unique to C Reactor, and there are a number 
of reasons to believe this region was particularly prone to stress- 
corrosion cracking [11]. Nevertheless, there is no reason to believe 
P, K, and L reactors are immune to stress corrosion particularly 
in the regions of high-energy welds. Unfortunately, there are in- 
sufficient data yet available to make meaningful predictions of 
when stress-corrosion cracking might develop in P, K, and L re- 
actors. In any event, short of radical alterations in the materials 
and water chemistry used in the Savannah Rive* reactors, there 
is no way to prevent the conditions of stress-corrosion cracking 
from arising. Helium embrittlement makes conventional welding 
unsatisfactory as a method for repairing any cracks that do de- 
velop. The Savannah River contractor has chosen to confront the 
issue of stress-corrosion cracking with a combination of "detect- 
before-fracture" and "leak-before-break" philosophies [8,12]. That 
is, because cracks must reach a critical size before they propagate 
unstably and cause catastrophic failure, there should be a high 
probability that cracks and leaks will be detected sufficiently early 
to permit safe shutdown of the reactors. 

The Savannah River contractor has introduced a broad range 
of programs to implement these philosophies [8,13]. These pro- 
grams have benefitted from extensive use of consultants and ex- 
pertise throughout the country. One of the most important of 
these programs is enhanced surveillance of vessel welds in P, K, 
and L reactors [14]. K and L reactors have been examined and 
the inspection of P Reactor will soon be completed. At present, 
only visual inspections of crack indications with dye-penetrant 
confirmation is available through surveillance Such visual proce- 
dures are not universally accepted as reliable means for detecting 
cracks The Savannah River contractor is developing the capabil- 
ity to employ ultrasonic techniques and is evaluating the potential 
of eddy-current methods [8i. The committee believes efforts to 
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improve the technology for detecting cracks in the Savannah River 
reactors should be encouraged. 

Once cracks are detected, it remains to be determined if they 
will propagate under the loads imposed by normal operation or 
accident conditions. Stress analyses have been done on the L- and 
C-Reactor vesseb (11,15). The analysis for L Reactor used conven- 
tional fracture mechanics analyses within the constraints specified 
by the American Society of Mechanical Engineers (ASME) Pres- 
sure Vessel Code (16). The decidedly less conservative analysis of 
cracking in C Reactor [11] would be judged less acceptable by a 
broad spectrum of the technical community, but because of the 
C-Reactor retirement the analysis will not be redone. 

The L-Reactor analysis should be taken as only illustrative of 
a technology to be applied once cracks have been detected. The 
analysis considered loads arising in a normally operating reactor 
during % design basis earthquake [17] and under hypothetical ac- 
cident conditions. The accident conditions analyzed were very 
severe. Fracture mechanics analyses were performed for a hypoth- 
esized axial crack at the mid-level the vessel and a crack in the 
vicinity of the outlet nozzles. Presumably, the ongoing probabilis- 
tic risk assessment of the Savannah River reactors will provide 
a more complete understanding of possible loads on the reactor 
systems and crack locations and orientations. 

Data on the fracture toughness of the reactor vessel steel 
are critical input to the fracture mechanics analyses. Currently, 
the effects of radiation hardening of the steel [18,19] are assumed 
to reduce the fracture toughness to 1/10 its unirradiated value, 
which is itself conservatively estimated to be 2000 in-lb/in^. Sa- 
vannah River has launc^ d a program investigating irradiated 
materiab properties to confirm that these input data are in fact 
conservative [20]. Data have been obtained fiom neutron fluences 
approximately equivalent to that sustained by the most irradi- 
ated portions of the vessels. However, shutdown of the High Flux 
Isotope Reactor (HFIR) at Oak Ridge National Laboratory has 
prevented obtaining data for higher fluences, so the available data 
may only be used to confirm conservatism. 

Conservatisms, which may seem of an extreme nature, are 
warranted in the implementation of leak-before-break and detect- 
before-fracture procedures because of the many uncertainties. 
These conservatisms must be highly probable of compensating 
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for undetected or ill-characterized flaws, cracks that do not leak, 
unanticipated loads, and uncertain material properties. 

Finally, Savannah River has also introduced a program to 
evaluate alternatives to conventional welding for repair of cracks 
in the vessel [21]. Though none of the alternative technologies 
has yet been shown to be completely applicable, the committee 
believes this investigation of repair methods should be sustained 
at Savannah River and fully supported by DOE. 

GRAPHITE GROWTH AND PROCESS TUBE 
EMBRITTLEMENT AT N REACTOR 

The acute aging problems at N Reactor involve materials 
within the reactor core. The graphite moderator block has sus- 
tained high, but unequal, neutron fluences over the years. As 
would be expected [23], radiation damage to the graphite initially 
caused the moderator block to shrink. Now, however, the re- 
gions of highest fluences in the moderator are bcgmning to expand 
(see Figure D.2). The varying dimensions of the moderator have 
caused some damage to the block and have distorted horizontal 
control rod channels and vertical channels for the backup scram 
system. Concerns have developed that oflfsets between graphite 
stacks will place stresses on the process tubes and the graphite 
cooling tubes. Expansion of the graphite moderator has been suf- 
ficient that in the near future it will thrust against the top shield of 
the reactor vault. When this happens, continued expansion of the 
graphite will be absorbed by void spaces in the core. The threat 
of unacceptable stresses on tubing and distortion of channels will 
then become severe. Methods to enhance in-service inspection of 
the interstitial regions of the graphite stack need to be developed 
to monitor unexpected graphite distortion and damage, and to 
provide early warning of pending tube distortions. 

Process tubes used in the N- Reactor core are being embrittled 
by two principal mechanisms: 

• Radiation damage, and 

• Zirconium hydride formation. 

As a result, the tubes are becoming more susceptible to fracture 
at a time when stresses on the tubes are expected to increase. The 
rupture of a single process tube is thought not to pose a significant 
safety hazard [24]. But, as embrittlement progresses, there is an 
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FIGURE D.2 Expansion of graphite moderator block at N Reactor. 

increasing danger that fracturing of a pressurized process tube 
will propagate to adjacent tubes, and in turn lead to a severe core 
damage accident [25a,b]. 



TREATMENT OF AGING PROBLEMS AT N RFACTOR 

Graphite growth will soon end the useful life of N Reactor. 
The Assistant Secretary for Defense Programs has indicated it is 
DOE's intention to retire N Reactor from service once expansion 
brirxgs the graphite moderator into contact with the upper shield 
of the reactor vault [26]. The contractor projects that this will 
occur sometime between 1991 and 1996 [27,28]. In the meantime, 
the contractor has plans to slow the rate of growth of the graphite 
by more uniformly distributing the neutron flux over the moder- 
ator volume [28]. The contractor indicates this modification will 
have the additional benefit of improving the quality of nuclear 
material produced by N Reactor. A difficulty to be overcome 
before implementing this mitigation effort is to assure that the 
revised core configuration is not susceptible to xenon instabilities. 
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In addition, a program of surveillance and modeling has been initi- 
ated [28]. Presumably, these activities will indicate whether other 
life-limiting conditions are imminent, such as: 

• Deformation of the 640 graphite and shield cooling system 
tubes or 

• Deformation of the 84 horizontal control rod channels. 

Unfortunately, materials data needed for the modeling eflForts may 
not be available as planned since HFIR been shut down. 

The contractor operating N Reactor has suggested a variety of 
options for correcting the problems arising as a result of graphite 
expansion [27, 29]: 

• TVimming the top and bottom of the graphite moderator 
block, 

• Alternate control rod designs to mitigate control channel 
curvature effects, 

• TVimming graphite to provide clenrance for ball-hopper 
collars, 

• Protective measures to preserve integrity of the graphite 
and shield cooling tubes, and 

• Removal of '"kerb" from the untubed channels at the top 
and the bottom of the graphite stack. 

Provided graphite contraction and expansion has not caused un- 
acceptable damage to the moderator block, 8om.e of these options 
appear feasible. 

The N-Reactor contractor has implemented the recent sugges- 
tions of DOE'S Design Review Team [30] to increase the surveil- 
lance of process tubes. Initially, the work was planned to involve 
the destructive examination of four process tubes and the non- 
destructive examination of 50 process tubes. Nondestructive ex- 
aminations of tubes by eddy-current techniques and by two types 
of ultrasonic techniques indicated there were flaws in some tubes. 
As a result, the nondestructive examinations were expanded to 
mvolve 152 tubes, including complete examination of all tubes in 
the class having the most numerous indications of flaws. Twenty- 
one indications of flaws were found in 13 of the tubes examined. 
Recently, comparisons have been made of the flaw sizes estimated 
by ultrasonic and eddy-current techniques with those found by 
destructive metallurgical methods. This comparison showed that 
the nondestructive techniques indicated well both the axial and 
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the radial locations of flaws. However, the nondestructive tech- 
niques underestimated the length of flaws and in the case of flaws 
deeper than 0.1 inch (the thickness of the process tube wall is 
0.275 inches) underestimated the depth of the flaw. 

The contractor has concluded that the nondestructive exam- 
inations are reliable for flaw indication no deeper than 0.1 inch 
provided that the largest flaw size indications obtained by the var- 
ious methods is accepted. When flaws are indicated to be deeper 
than 0.1 inch, the contractor plans to remove the flawed tube from 
service. The destructive examination of tubes will be expanded. 
To date, six tubes have been removed for such examinations during 
the current outage. 

The surveillance of the N- Reactor tubes has recently suggested 
that fret marks (abrasions) on the tubes may initiate cracking. 
Surveillance of tube fretting and possible crack initiation has been 
undertaken .Complete retubing of the N Reactor has been deemed 
by the contractor to be impractical. Only nine replacement tubes 
are available in inventory. Were adequate funds available, it would 
require six months to re-establish tube manufacturing capability 
at the site. 

The N-Reactor contractor does not plan to conduct 100 per- 
cent nondestructive examination of the process tubes. Yet a defen- 
sible statistical analysis of the basis for partial examination of the 
process tubes has not been prepared. The tubes currently being 
used in the N Reactor have been manufactured umng four differ- 
ent methods. Past studies have shown radiation damage to the 
tube correlates with both location in the core and method of tube 
manufacture [31]. In light of this multivariate dependency, the 
conmiittee believes that a justification of the sampling methods 
being employed needs to be prepared. 

The contractor is studying tube failure propagation and the 
ability of tubes to withstand bending stresses. Destructive testing 
of at least one irradiated tube is planned. 

An area that deserves but has not received much attention 
is the effects of shock quenching of the flawed and irradiated 
process tubes in the event of an accident [33). The consequences of 
fracturing multiple tubes during emergency coolant injection have 
not been included in safety analyses of the N Reactor. 
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Appendix E 
Efflueots: Technical Discussion 



In the event of severe reactor accidents at either the Savannah 
River reactors or N Reactor, radionuclide-contaminated liquids 
will be discharged from the reactor copfinements. At Savannah 
River [l], the discharge will be first to a 60,000-galIon tank and 
then to a 500,000-gallon tank, both of which are vented back into 
the reactor confinement. Overflow from these tanks, however, will 
be to an open, 50,000,000-gallon basin. At N Reactor (2) , discharge 
is to a 6,3(X),000-gallon excavated pit or "crib." 

Accident mitigation at N Reactor involves the actuation of 
confinement sprays to sweep radionuclides from the confinement 
atmosphere [2]. It is inevitable, then, that liquids discharged 
from the plant in an accident would be heavily contaminated with 
radionuclides. Peak concentrations of radioactivity are thought to 
develop in the liquid discharge 2.5 to 10 hours after an accident 
has begun [3]. Failure to initiate pumping to discharge liquids 
from N Reactor while maintaining emergency core cooling system 
(EGGS) and spray system flows could lead to undirected flooding 
of radionuclide-contaminated liquids from the plant [2]. 

Contaminated liquid effluents are discharged from the N Re- 
actor during normal plant operation. In the past these discharges 
have been at a nominal rate of 1330 gallons per minute and hiv3 
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contained about 6000 curies per year of radioisotopes with half- 
lives greater than 48 hours. Radioactive isotopes of strontium and 
cobalt have been the predominant contaminants. 

The discharge of contaminated liquid eflSuents from the N 
Reactor is &^ environmentally poor practice and has been criticized 
as such in previous reviews ot the reactor [4,5,6]. The contractor 
for the N Reactor has recently taken steps to reduce the discharge 
to 505 gallons per minute and about 4100 curies per year. The 
contractor is currently working on filtration equipment that is 
expected to further reduce the radioactivity of the discharge to 
about 1500 curies per year. An ion exchange system, which could 
be used in conduction with filtration, has been proposed that is 
expected to reduce the radioactivity of the discharge to 50 curies 
per year. 

The discharge of liquid effluents is also a violation of the fundar 
mental safety philosophy of confinement adopted at the production 
reactors and will present a safety hazard in the event of a severe 
accident. The safety hazard would arise because radionuclides dis- 
solved in the liquid effluents can partition from the aqueous phase 
back into the atmosphere and thus contribute to the radionuclide 
release from the plant. This partitioning would easily occur for 
small amounts of noble gases and tritium dissolved in the effluent. 
But, more importantly, iodine can partition from the effluent into 
the atmosphere. Iodine that partitions into the atmosphere from 
effluents in the open basins would bypass the filters and charcoal 
beds built into the Savannah River and N*Reactor confinements 
for the purpose of mitigating iodine releases during accidents. 
Very often, it is the iodine release that would pose the limiting 
acceptable site boundary doses for the proaj'^tion reactors [1,2]. 

Iodine partitioning into the atmosphere occurj because iodine 
in aqueous solution can assume volatile forms. The chemistry 
of iodine in aqueous media has received considerable attention 
within the context of accidents analyzed at light-water reactors 
[7,8,9,10]. The equilibrium chemistry can be understood in terms 
of the following reactions: 

1. Oxidation of iodide: 

2 r + 2 + (1/2) O2 O l2(aq) + H2O 

2. Hydrolysis of aqueous iodine: 

2C'l 
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l2(aq) + H2O O -HOP + H+ -f r 

3. Disproportionation of "HOP 

3H0I o lOJ -h 2 r + 3H+ 

4. Vaporization of I3: 

l2(aq) O l2(gas) 

There has been considerable speculation about the chemical 
form that would be assumed by iodine upon release from degrad- 
ing reactor fuel during accidents at the production reactors [11]. 
Because of the first of the above reactions, it does not matter 
whether iodine was first trapped in the water as Csl, HI, I2; all 
subsequent chemistry must be considered. The hydrolysis of aqae^ 
ous iodine is known to be fast [12] and to produce a neutral species 
conveniently labeled HOI, although in fact, its precise nature is 
unknown. Oxidation of HOI to form involatile lOj is a kinetically 
slow process [lOj. The equilibrium ^pearance of I2 in solution 
would make possible iodine vaporization. In older literature HOI, 
too, was considered volatile [7], but vaporization of HOI is now 
largely discounted [10]. The extent to which iodine escapes the 
aqueous phases by I2 vaporization would depend, of course, on 
mass transport in the ambient atmosphere. 

The effects of the complex chemistry of aqueous iodine are 
conveniently expressed in terms of a partition coefficient defined 
as follows: 

concentration of iodine — bearing species in solution 
concentration of iodine - bearing species in the gas phase. 

Smaller partition coefficients imply a greater tendency for iodine 
to v^orize from solution. 

Inspection of the chemical processes affecting the speciation 
of iodine in solution shows that the partition coefficient depends 
on temperature, total iodine concentration, and the hydrogen ion 
concentration. Some calculated partition coefficients for various 
conditions are shown in Figure E.l. High temperatures and low to- 
tal iodine concentrations produce large partition coefficients. High 
hydrogen ion concentrations are especially effective in producing 
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small partition coefficients. This latter factor in determining the 
partition coefficients is quite important for the production reac- 
tors. Coolant waters at Savannah River are deliberately acidified 
with nitric acid to inhibit aluminum corrosion [13]. Chemical ad- 
ditives to maintain low hydrogen ion concentrations are not used 
in sprays or the emergency cooling waters at N Reactor [2]. Acid 
spills [14] or interaction of the discharged waters with atnnospheric 
gases would raise the hydrogen ion concentrations. 

Because the oxidation of HOI to 10 J is a slow process, the par- 
tition coefficient is time dependent [15]. Accounting for this time 
dependence requires consideration of a great deal more chemistry 
[10,16]. Calculated partition coefficients for particular conditions 
are shown in Figure E.2. It is evident that values lower than the 
equilibrium partition coefficients discussed above could arise for 
substantial periods of time. 

More recently* it has been recognized that radiolysis of water 
by dissolved radionuclides could accentuate the propensity for io- 
dine to partition into the gas phase [9,17]. The detailed chemistry 
of this process is not yet well understood. Key reactants are hy- 
droxyl radical, solvated electrons, and peroxide produced by water 
radiolysis [18]: 

4.25 HjO 2.70 e" + 0.55H + 2.75 OH 



+ O.45H2 + 0.70 H2O2 + 2.80 H"*" + 0.10 OH". 
Hydroxyl radicals oxidize iodide to iodine: 

r + OH r + 0H~ 
while solvated electrons and peroxide reduce iodine to iodide: 

I2 -r H2O2 — 2H"*" + 2 r + O2 

I2 + 2 e~ 21". 

So a displacement in the partition coefficient to lower values rather 
than unlimited iodine formation occurs. It is known that fragments 
produced by water radiolysis would reduce lOj , though details of 
the process are incompletely resolved [19]. 
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FIGURE E.l Equilibrium iodiu<» partition coefficient u functions of total 
iodine concentration in the liquid phase for various hydrogen ion concentra- 
tions ([H'*']) and temperatures [7]. 
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FIGURE E.2 Time dependence of the iodine partitioning coefficient [15]. 



Radiation effects are not confined to displarement of the par- 
tition coeSicient. They can also enhance the formation of volatile 
and poorly water-soluble organic iodides [9]. Beahm and cowork- 
ers have shown that methane sparged through irradiated aqueous 
iodine solutions reacts to form CH3I to an extent that increases 
with the hydrogen ion concentration [20]. Further, Beahm et aL 
[15,21] have shown that aqueous iodine solutions v/ill react un- 
der the influence of irradiation with solid organic materials such 
as polyethylene and ethylene propylene rubber to form methyl 
iodide. 

The radiation induced reactions of aqueous iodine solutions 
with organic materials may have particular significance for recent 
proposals to upgrade the cribs at N Reactor. The most recent pro- 
posal [22,23] includes lining and covering the crib with a plastic — 
currently thought tc be polyethylene. While the covering would 
retard but not eliminate partitioning of iodine from the aqueous 
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phase, it would also provide reactants for the formation of volatile 
organic iodides. 

There is no evidence that partitioning of iodine into the atmo- 
sphere was considered in analyses of radionuclide releases during 
hypothetical accidents at the Savannah River reactors or at N 
Reactor [1,2). Recently, attention has been given to iodine parti- 
tioning in the design of sprays for improved confinement systems 
at Savannah River, though radiolysis effects on IO3 have not been 
considered [27). Iodine partitioning is being considered in the 
redesign of cribs at N Reactor [23). 

Iodine may not be the only radionuclide that partitions from 
the liquid efiluent either because of formation of volatile species 
or reaction to form volatile organic species. Tellurium, selenium 
[24, 25), and ruthenium [26) may also partition, but the potential 
partitioning of these species has not been extenavely studied. 
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Appendix F 
Cermet Fuel for SRP Reactors: 



Technical Discussion 



Over !. last several years, the Savannah River contractor has 
been developing an alternative fuel for the reactors. Currently, 
an alloy consisting of up to 30 weight percent uranium metal in 
aluminum and clad with aluminum is used as the fuel [1]. Buildup 
of ^^^U in the fuel (as the uranium purified of fission products is 
reused as fuel) will eventually force the use of fuel with higher 
loadings of uranium [2]. The alternative fuel being developed to 
meet this need is a cermet composed of UaOs particles dispersed 
in an aluminium matrix. Because of the method of manufacture 
[3,4], the fuel is often called '^powder metallurgical" fuel. Studies 
to date indicate that for normal operations, the fuel would be a 
satisfactory replacement for the existing uranium metal-aluminum 
fuel [5]. A UaOs-Al fuel has been used in other reactors [6]. 

The conmiittee's concern with the cermet fuel is not related to 
low- temperature, normal operation of the Savannah River reactors 
but to accident conditions when the cooling of the fuel might 
be, at least locally, interrupted. The concern arises because the 
constituents of the fuel, UsOg and Al, are inherently incompatible. 
The potential chemical reaction between the fuel con.?tituents is: 

1(16 - 6x)/3] Al + UaOs 3U0x + [(8 - 3x)/3] AI2O3, 
where the stoichiometry of the uranium-bearing product, UOx, is 
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dictated by the oxygen potential of the reaction product mixture. 
For most fuel compositions, aluminum will be the excess reactant 
so the oxygen potential will be given by: 

2 Al + (3/2)02 ^ AI2O3. 

Using the oxygen potential derived for the AI/AI2O3 couple, 
neglecting the slight solid solubility of urania in alumina [7], and 
using Blackburn's model of the stoichiometry of urania [8], it can 
be found that the product of reaction wiU be UO2 at temperatures 
less than 1000 K. The product urania becomes hypostoichiometric 
with increasing temperature so that at 2000 K the uranium bear- 
ing product is UOi.mss. At these elevated temperatures, hypo- 
stoichiometric urania develops an activity of uranium metal so that 
eventually the urai ium oxide is reduced completely to uranium- 
aluminum intermetallic compound. Neglecting the slight tendency 
for hypostoichiometry at elevated temperatures, the initial overall 
reaction is: 

(4/3) Al + U3O8 3 UO2 + (2/3) AI2O3. 

At 298 K, this exothermic reaction yields about 225 calories of 
heat per gram of U3O8 reacted. The reaction is a metallothermic 
oxidation-reduction reaction analogous to, but not as exothermic 
as, the classic thermic reaction [9]. Subsequent reduction of the 
UO2 is not especially exothermic. Thermal excursions that might 
be produced under adiabatic conditions in the cermet fuel by the 
metallothermic reaction depend on both the initial temperature 
and the amount of U3O8 present in the fuel, as shown in Figure 
F.l. Were reaction initiated at 373 K, then aluminum melting 
could be produced in fuel containing more than about 44 weight 
percent UaOg. Ignition of the reaction at the melting point of pure 
aluminum (about 933 K) could produce temperatures of 1500 to 
1750 K in fuel contaming 48 to 58 weight percent UgOs as in 
fuel being tested for the Savannah River reactors [10]. Such high 
temperatures would be of concern if they accentuated the release 
of radionuclides or accelerated the rates of steam reaction with 
aluminum [25]. Cladding on the fuel would reduce the temperature 
excursions experienced as a result of the reaction. 

The cermet fuel being developed at Savannah River under- 
goes several high-temperature steps during processing, including 
degassing and hot f xtrusion. Metallurgical examinations suggest 
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FIGURE F.l Adiabatic temperature rises produced by the reaction of UsOg 
with Al at initial temperatures of 933 and 373 K. 

that some reduction of th'' UsOg p&rticles to U4O9 occurs at this 
time [23, 24]. The reaction of U4O0 with aluminum is significantly 
less exothermic and will produce less dramatic temperature ex* 
cursions than does the reaction of U3O8 with aluminum. Further- 
more, metallurgical examinations of irradiated cermet fuel suggest 
that during operation further reductions of the uranium oxide to 
a uranium-aluminum intermetallic compound and AI3O3 occurs 
[23]. The reduction processes during manufacture and operation 
reduce, of course, the potential for chemical heating posed by the 
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cermet fuel. However, no safety analyses have been done to show 
how completely the V^Og must be reduced before the chemical 
heating effects of the reaction are negligible. The committee be- 
lieves there may be merit in assuring that the reduction of the 
UsOs is complete as part of the fuel manufacturing process. There 
is, however, evidence that complete reaction of the UsOs with 
aluminum may yield a product whose performance as a fuel is less 
satisfactory as a result of so-called ^breakaway swelling," swelling 
that damages the fuel [27]. 

The reaction of aluminum with UaOs has long been known 
[1M9]. Soroeconfic 3nce that this reaction may not be of concern 
has been gleaned from the relatively high temperature of igni- 
tion of the reaction— 1150 to 1273 K, which is above the melting 
point of Al. For the analogous reaction of Al with Fe304, it is 
believed that the onset of reaction is inhibited by the presence of 
an adherent AI3O3 film at the mterface between the metal and the 
reactive oxide [20]. Above about 1150 K, it is shown that AI3O3 
films on Al surfaces begin to lose their effectiveness as a barrier 
to surface interactbns [21]. The effectiveness of the AI3O3 film at 
preventing reaction is sensitive to impurities. TVace quantities of 
NaCl will reduce the ignition temperature for the thermite reac- 
tion from about 1160 V to the melting point of aluminum— 933 
K [20]. There is some suggestion that magnesium wUl do the 
same. Some tests conducted recently %t Savannah River Labo- 
ratory [22] have shown low-temperature reactions of aluminum 
with the surface of pressed compacts of Na2U309 and Na6Uo024. 
Innoculation of U3O8/AI mixtures with NaCl did not reduce the 
ignition until quite high loadings of chloride were achieved. Low 
temperature ignition of the metallothermic reaction has not been 
detected in experiments to date with irradiated fuel specimens 
[23]. Some evidence suggests that metallothermic reaction accen- 
tuates the release of fission products from the fuel [26], though this 
enhanced release is no worse than what would be expected from 
fuels currently used in the Savannah River reactors. 
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Appendix G 
Hydrogen Generation During Accidents at 
N Reactor: Technical Discussion 



Maintaining the integrity of the confinement system is crucial 
to the safety strategy of N Reactor. But the confinement building 
of N Reactor is quite vulnerable to overpressunzation. Elstimated 
design pressure limits for the confinement amount to only 5 psig 
[1]. Elaborate venting strategies have been devised so that the 
N-Reactor confinement would not be subjected to excessive loads 
during depressurization of the reactor in the early stages of an 
accident. Nevertheless, the N Reactor would be quite vulnerable 
to internal pressurization, such as pressurization caused by the 
combustion of hydrogen during an accident. 

The materials used in N Reactor — metallic uranium fiiel, 
zirconium clad, grapMte moderator, and boron carbide scram 
system — are all quite reactive toward steam. The inventories of 
reactive materiab in N Reactor vastly exceed equivalent inven- 
tories in commercial nuclear power plants (2). The reactions of 
steam with these materials would be potent sources of hydrogen. 
Should even small percentages of these materials react with steam, 
sufficient hydrogen would be produced to threaten local hydrogen 
combustion if not combustion throughout the containment. In- 
deed, recent calculations with the HECTR code [4,5] show that lo- 
calized combustion that threatens the integrity of the confinement 
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could occur with just the amount of hydrogen thought generated 
during the ''hypothetical accident" at N Reactor. 

Sufficient attention has been called to the vulnerability of N 
Reactor to hydrogen combustion [2,3] that the contractor is now 
conunitted to installing a hydrogen mitigation system [6]. The 
design of such a system requires an understanding of the rate of 
hydrogen generation, when such hydrogen generation occurs, and 
the total amount of hydrogen likely to be produced. The discussion 
below is directed at the analyses of these features of an accident 
at N Reactor. In particular, it focuses on the following: 

1. The use of supposedly bounding ''design-basis" accidents 
to assess the threat of hydrogen combustion at N Reactor, and 

2. The adequacy of the analyses of hydrogen generation for 
the design-basb accident. 

DEFINITION OF THE BOUNDING ACCIDENT 

As a basis for designing a hydrogen mitigation system for the 
N Reactor, a supposedly bounding reactor accident in which hy- 
drogen is generated has been identified. Initially, this accident 
was found to be identical to the hypothetical accident described 
in the plant safety analysis [1] except that for the sake of be- 
iag conservative a doubling of the predicted amount of hydrogen 
generation was allowed [5]. Recently, a revised analysis of the hy- 
drogen design-basis accident has been developed [8]. This revision 
defines a so-called "end state" derived from the preliminary re- 
sults of an incomplete Level 1 probabilistic risk assessment (PRA) 
study of the N Reactor [9]. This PRA purports to show that the 
most likely severe accident sequences will involve failure of the 
emergency cooling system (ECS) for at least part of the reactor 
core but continued performance of the graphite and shield cooling 
system (GSCS), even though the latter is not a "safety grade" sys- 
tem [7]. The GSCS is particularly important because the accident 
is ultimately terminated due to the heat removal capability of this 
system. 

The use of design-basis accidents that incorporate peculiar, 
supposedly conservative physical processes has not served the re- 
actor safety conmiunity studying conmiercial nuclear power plants 
very well. In fact, the practice is being abandoned in severe ac- 
cident analysis in favor of procedures involving realistic modeling 



194 



of a wide range of accidents with considerably different etiologies. 
One reason for this change is that one or more of these more re- 
alistic accidents is typically found to pose a more severe threat 
than the nonmechanistically described design-basis accident. In 
any case, there is no doubt that, taken in combination, the real- 
istic accidents pose more formidable challenges to reactor safety 
systems than the design-basis accidents. 

The design of the hydrogen mitigation system would benefit 
from the lessons learned by commerciai reactor safety analysts con- 
cerning design-basis accidents. In that connection, the belief that 
the accident currently used for the design basis of the hydrogen 
mitigation system is bounding is not at all transparent. Acci- 
dents involving failure of the GSCS and degraded performance of 
the emergency cooling system have previously been described and 
would seem to involve (l) more extensive fuel melting, (2) higher 
temperatures, and (3) more prolonged duration than the current 
design-basis accident [10]. Though analyses of hydrogen genera- 
tion for these accidents have not been provided, it seems likely 
that they would show far more extensive and perhaps more rapid 
hydrogen generation. Recent analyses of combustible gas genera- 
tion during accidents involving failure of the GSCS seem based on 
undefended assumptions concerning the avaUability of steam and 
neglect of steam graphite reactions [47]. 

Confidence in the reliability of the GSCS based on preliminary 
results of the recent PRA study [9] may be misguided. There 
appear to be no specific reliability data for this nniqnc system. 
The assumption in the PRA of failure rate probabilities on the 
order of 10~* for this system would therefore appear to be based 
on generic data. Furthermore, the study does not consider external 
events, such as seismically induced accidents, to which the GSCS is 
vulnerable. The piping network of the GSCS is also threatened by 
the radiation- induced expansion of the graphite moderator stack. 
Indeed, four ruptures of the GSCS piping have been attributed to 
strains caused by offsets in the graphite blocks [7]. 

In summary, the committee believes that more extensive ac- 
cidents than the current design-basis accident for N Reactor may 
be credible. These accidents would likely have substantially differ- 
ent hydrogen generation histories than the design-basis accident 
and would theiefore place different requirements on the hydrogen 
mitigation system for N Reactor. 



C 1 »^ 



195 



ANALYSES OP HYDROGEN GENERATION 

To determine the rate and extent of hydrogen generation dur- 
ing accidents at N Reactor, the contractor has considered only 
the steam reactions with the zirconium clad and uranium fuel [8]. 
These reactions are assumed to take place in a surplus of steam and 
to follow parabolic reaction kinetics. These assumptions, together 
with the assumed successful performance of the GSCS, produce an 
unusual and highly specific hydrogen generation history, as shown 
in Figure G.l. The rate of hydrogen generation rises to a sharp 
maximum as an initial layer of product oxide is formed on reactive 
metal surfaces. Inhibition to the reaction, provided by the grow- 
ing oxide layer, compensates for the effects of the slowly rising 
fuel temperature, and the rate of hydrogen production faUs drar 
matic^y from its peak. As fuel reaches melting, a hypothesized 
reduction in the surface area of the melting fuel that is available 
for reaction with steam assures that there is no acceleration in the 
production of hydrogen. A later peak in tLe hydrogen generation 
is produced when regions of the reactor fuel subjected to lower 
heating rates go through similar cycles. 

The hydrogen generation histories predicted for accidents at N 
Reactor are therefore highly dependent on the reaction kinetics of 
zirconium and uranium with steam. In the discussion that follows, 
the conmiittee exi* mines the analyses of these reaction kinetics 
and the potential for steam reactions with other materials in the 
N- Reactor core. 



Zirconhmd-Steam Reactions 

Steam reactions with the zirconium clad and process tubes 
during accidents at N Reactor are treated as obeying parabolic 
kinetics. The kinetic expression used for the analyses is one devel- 
oped by Baker and Just 

(AW)2 = 4.13 X 10« exp[-22900/T] t, 

where AW = weight gain by oxidation (mgO/cm^), t = time 
(s), and T = absolute temperatu»*e (K). Tnis rate expression was 
devised for zirconium based on tests in the temperature range of 
1270 to 2100 K. It is generally accepted that both Zircaloy-2 and 
Zircaloy-4 obey steam reaction kinetics similar to those followed 
by zirconium [12,13]. 
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FIGURE G.l Hydrogen generation rate as a function of time for the 
hydrogen mitigation system design basis. 

The Baker-Jus^ rate expression must be extrapolated to lower 
temperatures for N-Reactor accidents. It hai been found [14] that 
at about 1163 K the kinetics of zirconium oxidation undergo a 
change caused by the monoclinic-to- tetragonal phase change of 
the substoichiometric zirconium oxide reaction product. lanni [15] 
has found the following reactior> rate expressions: 

(AW)2 = 6.79 X 10^ cxp[-14595/T] t for 298 < T < 1163, and 

(AW)2 = 4.40 X 10* exp[-16860/T] t for 1163 < T < 1800. 

Urbanic and Heidrick [13] have confirmed these rate expressions 
and have hypothesized another transition at 1813 K caused by a 
tetragonal-to-cubic phase change. Prater and Courtright [16] have 
developed a kinetic expression for the steam oxidation of molten 
zirconium: 
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(AW)2 = 3.1 X 10® exp[-16610/T] t, 



where T > 2123 K. 

Figure G.2 shows the parabolic rate constants for tiie various 
kinetic expressions as functions of temperature. Though Baker- 
Just kinetics are widely viewed as conservative, this is true only 
(or the temperature regime pertinent to accidents in conmiercial 
nuclear power plants. Extrapolation of the Baker-Just rate expres- 
sion to temperatures below about 1400 K leads to an underpredic- 
tion of the rate of steam reaction with zirconium. It is, of course, 
in this low-temperature region where most of the steam-zirconium 
reaction would occur during accidents at N Reactor [8]. 

Quite clearly, analyses of hydrogen generation for the design 
of the hydrogen mitigation system need to be revised to take into 
account more accurate kinetics. 

Although the precise values of the parabolic rate constants 
cire important in the prediction of hydrogen generation from 
zirconium-steam reactions, of far greater significance is the sensi- 
tivity of the reaction kinetics to the microstructure and integrity 
of the oxide layer produced on the zirconium. The molar volume of 
zirconium oxide is, of course, much greater than that of zirconium 
(Bedford-Piling number in the range 1.56 to 1.41), so the oxide is 
internally strained when it forms on the metal. This strsdn is only 
partially reduced by the expansion of the metal as it dissolves oxy- 
gen. Excessive strains will eventually cause the oxide to rupture, 
and this will initiate a sudden acceleration in the rate of reaction 
as some of the inhibition provided by the oxide is lost. 

Rupture of the oxide coating has not been shown to be an 
especially troublesome problem in studies of zirconium oxidation 
kinetics using fiat specimens at isothermal conditions. But during 
N-Reactor accidents, nonisothermal oxidation would take place 
simultaneously on concave and convex surfaces. These surface 
geometries can exacerbate the innate strains of oxide growth [28). 
On convex surfaces, poorly adherent oxide layers can buckle to 
relieve the compressive stresses (see Figure G.3). More adherent 
oxide layers, as growth of the layers continues, develop tensile 
stresses and fail by cracking. The effects are made worse by the 
monoclinic to tetragonal phase change. On concave surfaces, the 
initial compressive stresses grow with oxide growth, and rupture 
of the oxide can occur by shear (see Figure G.3). Contortion 
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FIGURE G.2 Comparison of parabolic rate constants from various studies 
of zirconium oxidation in steam. 
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FIGURE G.3 Modes of oxide layer rupture during oxidation of convex and 
concave sirconium surfaces. 

and derormation cf the clad and fuel observed in experiments [?l] 
would make oxide layer rupture by these processes quite likely.^ 

Thermal transients are also known to rupture zirconium oxide 
layers on zirconiunn. For small temperature changes, fissures de- 
velop in regions of reduced oxide plasticity caused by anisotropy 
in the oxidation [29], and such inhomogeneity in the oxidation of 
N-Reactor fuel and process tubes would appear to be difficult to 
eliminate (see Appendix E). 

^ There has been relatively little concern with phase transformations 
and oxide stresses in the analysis of steam-zirconium reactions during com- 
mercial reactor accidents. Thi^ is because the higher heatup rates of fuel in 
light-water reactor accidents lead to very little oxide being formed at low 
temperatures where the oxide is brittle. At the high temperatures of com- 
mercial reactor accidents, the sirconium oxide layers are sufficiently ductile 
to relieve strains that would cause oxide failure during N- Reactor accidents. 
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Large cooling transients could be induced in the N-Reactor 
fuel by "chugging" of coolant into tubes during partial perfor- 
mance of the emergency cooling system [10]. Such large changes 
in temperature can induce compressive stresses of a magnitude 
given by [17]: 



1 + 2(Eox/EM)(hox/hM) 



where 






= stress in oxide; 


Eox 


= Young's Modulus of the Oxide; 


Em 


= Young's Modulus of the Metal; 


AT 


= temperature change; 


Of ox 


= thermal expansion coefficient of the oxide; 




= thermal expansion coefficient of the metal; 


hox 


= oxide thickness; and 


hM 


= metal thickness. 



Compressive stresses such as these will cause rupture of the oxide 
layer by spalling, which could be catastrophic. 

The assumption of an uninterrupted progression of parabolic 
kinetics for steam reactions With zirconium during accidents at N 
Reactor needs to be defended. There are a variety of mechanisms 
that can cause disruption of the oxide, acceleration of the oxida- 
tion, and concomitant hydrogen production. Indeed, what data 
there are [46] show that hydrogen generation for N-Reactor fuel 
varies with time to the power 0.72 rather than the power 0.5. This 
is a substantial deviation from the parabolic kinetics assumed in 
the hydrogen design-basis accident analysis. Moreover, these lim- 
ited tests did not involve all the factors that can disrupt reaction 
kinetics during N-Reactor accidents. The uncertainty in hydrogen 
production caused by these processes needs to be recognized in the 
analyses of N-Reactor accidents aind in the design of a hydrogen 
mitigation system. 

Kinetics of the Uranium-Steam Reaction 

For the analysis of hydiogen generation during N-Reactor 
accidents [8], the uranium-steam reaction is assumed to follow the 
parabolic kinetics developed by Wilson et al. [18]: 
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(AW)2 = 9.94 X 10* exp[-9361/Tl t for 873 < T < 1473 K, and 

{AW)2 = 8.10 X 10^cxp[-12600/T]tforl473 < T < 1373 K. 

These rate expressions were derived from isothermal studies. Ex- 
posure times were less than 200 minutes and usually less than 90 
minutes. 

Baker [19] also derived parabolic kinetics for the uranium- 
steam reaction from nonisothermal quenching experiments: 

(AW)^ = 4.43 X 10® cxp[~15000/T] t. 

Initial temperatures of specimens in these experimerts were 870 
to 4000 K. 

Other investigators do not agree that use of parabolic rate 
expression for the reaction of steam with uranium metal is appro- 
priate. Both Hopklnson and Scott [20] found linear kinetics for 
temperatures up to 1150 K. At temperatures between 1150 K and 
the melting point of uranium, parabolic kinetics were obtained for 
reaction periods of up to 1 to 2 hours. Thereafter, linear behav- 
ior developed. Linear kinetics were observed for the reaction of 
molten uranium. 

Again, it is noteworthy that what little data there are on steam 
oxidation of N-Reactor fuel do not conQrm parabolic kinetics [46]. 

Obviously, there aie substantial uncertainties in the kinetics 
of uranium oxidation. Replacing the parabolic rate expressions 
used in the N-Reactor accident analysis with linear kinetic ex- 
pressions would have profound effects on the rate of hydrogen 
generation. Inhibition to the rate of reaction by the growth of 
the oxide product implied by parabolic kinetics would disappear 
as would the calculated fall ir the rate of hydrogen generation. 
Prudence would dictate that allowance should be made for this 
uncertainty in the analysis of hydrogen generation for the design 
of a hydrogen mitigation system. 

It is further assumed in the analysis that once the uranium fuel 
melts, there is a reduction in the surface area available for reaction 
to 10 percent of the value prior to melting [8]. This assumption is 
poorly supported by available data that suggest that the melting 
fuel exhibits a foaming beh:.vior, which would enhance the surface 
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area available for reaction [21]. This foaming and enhancement of 
surface area is probably caused by an acceleration in the release 
of volatile fission products as the fuel nr ^Its. 

Large uncertainties must be ascribed to the hypothesized re- 
duction in surface area available for oxidation, and therefore it is 
only prudent to examine less benign possibilities. Such an exam- 
ination should include the possibility that nnolten uranium could 
locally attack corroded and flawed process tubes and drain into the 
gr^hite stack. This would not only enhance the surface area avail- 
able for reaction with steam, but also produce additional heating 
from the carbon reaction with uranium. 

Steam Oxidation Graphite 

The N-Reactor graphite moderator stack consists of about 1700 
tons of graphite surrounding the fuel. Its purpose is to moder- 
ate neutrons. Use of graphite as a moderator, probably more 
than any other feature of the N Reactor, has attracted attention 
because of the superficial similarity that it represents to the So- 
viet RBMK reactor at Chernobyl, which also used graphite [22]. 
Though accidents of the precise type experienced at Chernobyl are 
not physically possible at N Reactor, the presence of such a large 
mass of combuptible graphite cannot be ignored. The possibility 
that the inerting of the raactor vault might not be maintained in 
an accident and that the graphite might bum as air is drawn into 
the vault is discussed elsewhere in the report The focus here is on 
reactions of steam with gr^hiie to produce hydrogen and either 
flammable carbon monoxide or nonflammable carbon dioxide: 

H2O + C (graphite) CO + H2 

2 H2O + C(graphite) CO2 + 2 H2 

Though these reactions are endoergic, they are quite possible in 
a thermochemical sense and consequently coi ld, in principle, con- 
tribute to the threat of combustion in the N- Reactor confinement. 

The reactions of steam with graphite have be«n neglected in 
defining the design basis for the hydrogen mitigation system for N 
Reactor [8]. The rationale for having failed to trea^ these reactions 
is based on two points: 
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L With the GSCS intact during the accident, temperatures 
within the graphite are kept low. 

2. The rates of steam reactions with graphite are low. 

The first of these considerations was discussed earlier. The kinetics 
of steam-gr^hite reactions are considered here. 

The rates at which steam will react with graphite have often 
been studied. Typically, three regimes for the reaction are defined 
(22). At elevated temperatures, the rate of reaction is controUed by 
mass transport eficcts. At low temperatures (< 1000 K) the rate 
of reaction is limited by the intimate surface reactions of oxidant 
(steam) with graphite. Analyses of N Reactor accidents with the 
GSCS intact suggest that this low-temperatui? regime is the most 
pertinent, and chemical kinetics contrd the rate of reaction. Typ- 
icaUy, the rate of steam-graphite reaction is formulated in terms 
of Langmuir-Hinshelwood kmetics based on the reaction steps: 

H20(g) + S o E2 + (0]s 

(01s - CO + S, 

where S design ates an active surface site and [0)s designates an 
occupied surface site. The rate expression is [24): 

Rate [grams carbon gasified/gram carbon-second^ = 

Ki(T) P„,o FcAT FbUR 
1 + K2(T)P|}, + K3(T)Ph,o' 

where = partial pressure of x in the gas, and Ki(T) = rate 
parameters for i = 1 to 3. The rate expression is empirically 
modified by the parameter N (typically N is about 0.75) to account 
for lost active sites. Geometrical evolution is accounted for by the 
parameter Fbur. Catalysis of the reaction is described by the 
parameter Fcat- More complete rate expressions that account for 
the effects of product gases have been developed by Ergun (25). 

Analyses of the reaction presented in the NUSAR document 
1) were based on kinetic parameters reconunended by Woodley 
26). These parameters are compared in Table G.l to parameters 
used in a more recent study for N Reactor (27) and from other 
studies in the literature [24). The scatter in the data, none of 
which are for the exact graphite used in N Reactor, is likely to 
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TABLE G.l Kinetic Panmeten for the Steam Oxidation of Graphite 



Parameter 


Value from Reference 






126] 


[27] 


[24] 


Kj(T) 


5.94 exp[-16460/T] 


2.97 X 10^ exp(-20584/T] 


9.12 X 10^ exp(-32960/T) 


Kj(T) 


9.4 X 10'" exp[30599/T] 


0.0166 exp[l4394/T] - 


4 49 X 10'^ exp(14398/T) 




7.06 X 10'^^ exp(39909/T] 


0.0531 exp[l5840/T] 


1.32 X 10'^ exp(15805/T) 


N 


1 


0.76 


0.75 



^ Set to eero for accident analysis. 



by irradiation by gamma rays during reaction, both of which are 
reported to enhance the rate of reaction [31]. 

A recent analysis of the steam oxidation of N-Reactor graphite 
when the GSCS is not functional [27] indicates that about 5.7 
percent of steam flowing through the graphite block will react with 
the graphite. If the steam flow is that which can be ^dnerated by 
the helium purge system [30), then hydrogen would be produced at 
the rate of about 60 kg/hr (1980 cu.ft./min) and carbon monoxide 
would be produced at a rate of about 840 kg/hr (27). These 
rates are similar o the ratex of hydrogen production for just the 
steam-metal reactions considered in N*Reactor accident analyses 
to date. This res^ilt stands in sharp contrast to a recent analysis 
of the consequences of failure of the GSCS prepared by the N- 
Reactor staff* [47]. In their analysis no combustible gas generation 
caused by steam reaction with graphite was included despite the 
loss of the cooling provided by the GSCS. It is difficult to reconcile 
this result with available information on steam-graphite reactions 
or the heat up of the N-Reactor gr^>hite when cooling is lost. 

Reactions of steam with graphite, when the reaction is con- 
trolled by the rate of chemical processes rather than mass trans- 
port, can be accelerated by catalysis [32,22]. Such catalytic ac- 
tivity has not been considered in the analysis of accidents at N 
Reactor, even though ratner mundane materials can act as cat- 
alysts. For instance, iron, cobalt, and nickel have been found to 
accelerate the steam reactions with graphite by factors of 32, 27, 
and 19, respectively [34]. In view of the age and the nature of 
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operation of the N Reactor, it is difficult, if not impossible, to 
preclude the presence of such catalysts. 

Perhaps even more significantly, fission products are known to 
catalyze the steam reaction. Alkaline earth oxides, for example, 
are known catalysts [36-38]. Everett et al. [37] found that at 1120 
K barium and strontium salts at concentrations of 0.05 percent in 
the gr^hite accentuated the rate of steam reaction with graphite 
by factors of 1000 and 130, respectively. It appears that barium 
and strontium lower the activation energy for reaction [38]. There 
is evidence that Ru, Rh. and Pd will also act as catalysts [39,40]. 
Lithium, sodium, and potassium catalyze the steam reaction with 
carbon by a reaction process presumed to be [35]: 

MjCOs (1) + 2 C — 2 M (g) + 3 CO 

2 M (g) + 2 HjO - 2 MOH (1) + Hj 

2 MOH (1) + CO — M2CO3 (1) + H2 

where M = Li, Na, K. In view of the similarity of potassium and 
cesium chemistries, it is likely that cesium, too, will catalyze the 
reaction. 

It appears, then, that catalysis of the steam reaction with 
giaphite, if not initiated by impurities already in the N-Reactor 
graphite, could be initiated once core degradation leads to fission 
product release and fission products contact the graphite. The 
catalysis of graphite reactions could lead to production of both 
CO and H2 at rates comparable to those currently considered in 
the design basis accident. Such combustible gas generation will 
certainly occur if the GSCS has failed and may be significant even 
if it has not failed. 

In view of the above, neglect of the graphite-steam reactions 
in N-Reactor accident analyses is questionable. 

The Oxidation of Boron Carbide 

The N Reactor uses boron carbide both in control rods and in 
the backup scram system. Boron carbide will react with steam to 
form hydrogen [41,42]: 

B<C + 6 H2O — 2 B2O3 + C + 6 Hj. 
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To date, this reaction has not been considered as a potential source 
of hydrogen in analyses of N-Reactor accidents. 

The N Reactor's boron carbide control rods are well>sheathed. 
Consequently, this boron carbide would experience little exposure 
to steam, except as a consequence of a very catastrophic event 
that disrupted the core. 

Boron carbide used for the backup scram system is in the 
form of unsheathed spheres (with diameters of about 0.95 cm) 
that are dropped into 107 vertical channels in the N-Reactor core 
[1]. There are liners on the channels, although they do not her- 
metically isolate the channels.^ It must be presumed that under 
accident conditions these channels are possible vent pathways for 
steam from the core, and that the boron carbide balls would be 
bathed in steam. The reaction of boron carbide with steam is 
readily detectable at temperatures as low as 250°C [39J. Definitive 
analyses of temperatures that can develop within the ball channels 
under accident conditions are not available. It appears that low 
temperatures can be maintained in the core only if the GSCS re- 
mains functional during the accident. As noted earlier, this system 
is not of safety grade. 

The reaction of boron carbide with steam is kinetically slowed 
by the formation of a protective outer layer of the condensed 
reaction product, B2O3. The reaction would be expected to obey 
parabolic kinetics initially. At somewhat elevated temperatures, 
molten B2O3 (which has a melting point of 733 K) would drain 
from surfaces, thus limiting the protection provided by the product 
layer. Reaction of B2O3 to form vaporous boric acid: 



would further limit the growth of the product layer Overall, par- 
alinear kinetics would be expected for the reaction of boron carbide 
with steam. Relatively little quwtitative data are available on the 



Prior to inttallation of the liners, some boron carbide balls were *lott" 
within the N- Reactor graphite stack. It is presumed here that these *lo8t* 
balls constitute a trivial mass of reactive material. 

^The neutronic consequences of bor^^n relocation by this reactive vapor- 
isation process are not exatn ned here. 



B2O3 -f H2O 



2 HBO2 (g) 



B2O3 -f 3 H2O 



2 H3BO3 (g) 
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reaction kinetics. There is evidence of some tendency for localized 
or "pitting* corrosion of boron carbide by steam (41). An empiri- 
cal study of the corrosion, using B4C balls of the type employed at 
N Reactor, has been conducted and shows the reaction to proceed 
rapidly above about 1000 K [45]. 

Litz and Mercuri [43] found the rate of steam reaction with 
boron carbide to be: 

where Ph^o is the steam partial pressure in atmospheres. Based on 
this ra' . expression about 30 of hydrogen would be produced 
per hour if the boron carbide balls in N Reactor were flooded with 
steam at 800 K. Thk hydrogen would supplement that produced 
by steam reactions with the fuel, clad, and graphite. 
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NATIONAL RESEARCH COUNCIL 

2101 Consntution Avenue Washington D C 20418 
COMMISSION ON PHYSICAL SCIENCES COMMISSION ON ENGINEERING AND 

MATHEMATICS. AND RESOURCES TECHNICAL SYSTEMS 

COMMITTEE TO ASSESS '\FET> AND 
TECHNICAL ISSLES AT DOE REAaORS 

August 26, 1987 



Secretary John S. Herrington 
Department of Energy 
Washington, D.C. 20585 

Dear Secretary Herrington: 

On May 22, 1987, Dr. James F. Decker, the Acting Director of 
the Office of Energy Research, asked the Committee to Assess Safety 
and Technical Issues at DOE Reactors to review the technical 
adequacy of the Department's proposed approach to hydrogen 
mitigation at the N Reactor. I am vjriting on behalf of the 
Committee to respond to this request. The Cononittee will shortly 
submit another report that will discuss a range of other issues 
associated with the Department's production reactors. 

The scope of the Committee's review of the proposed approach 
to hydrogen mitigation has been limited. As requestpd by the 
Department, we have focused on the overall advantages and 
disadvantages of the proposed approach. We have not performed a 
detailed design review. We have not reviewed operating procedures 
or training requirements, which are critical to the successful 
implementation of the approach. Moreover, we necessarily have 
relied on the accuracy of the detailed calculations in the 
materials that were submitted to us for review. Finally, our 
review has not addressed some of the more general assertions 
included in the contractor's documents. A list of the materials 
provided to the committee is appended. 

In Part I of this letter we focus on ihe nature of the 
problem, the Department's proposed approach, and our principal 
conclusions. In Part II, we turn to a detailed discussion of 
specific issues. Both parts o^ the letter presuppose a basic 
familiarity wjth the relevant characteristics of N Reactor. These 
are described nore fully in the materials prov.ded to us for 
review. 



I. 



The protection of the public in the event of a severe accident 
at the N Reactor depends on maintaining the integrity of the 
reactor's confinement system the safety system that is designed 
to attenuate the reiea-e of fission products in the event of an 
accident. Because the confinement has not been designed for and 
is unlikely to be able to withstand hydrogen burns of any 
significant size» it is important that combustible concentrations 
of hydrogen be prevented within the confinement, except in very 
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localised areas near the hydrogen source. In order to evaluate 
this issue, the contractor for the facility has conducted a series 
of analyses in which certain defined releases of hydrogen were 
assumed to occur in a number of locations within the confinement. 
The results of these analyses indicated to the contractor that, for 
the assumed rate and quantity of hydrogen released, there are only 
two locations in the confinement where combustible limits could be 
achieved — the pipe-barrier space and the pressurizer-penthouse 
area. In other areas of the building, the contractor predicted 
that mixing would be sufficient to prevent a flamnable 
concentration from being reached. The contractor further concluded 
that even if a burn were initiated in the pipe-barrier space, the 
increase in pressrre would be dissipated in the larger volume of 
the confinement building and the confinement function would not be 
defeated. In order to mitigate the potential problem in the 
penthouse and to provide additional protection from the release of 
hydrogen in a severe accident, the contractor has developed a 
concept for a hydrogen mitigation system. 

The proposed concept is intended to satisfy four basic 
functional requirements: 

Provide adequate mixing between subcompartments of 
the building to assure that burnable concentrations 
of hydrogen do not accumulate. 

Monitor hydrogen concentrations at various 
locations within the building. 

Fill the confinement with inert ^as after the 
initial release of steam to assure tnat burnable 
compositions are precluded in the long term- 
Provide an exhaust system to displace air to 
support the inerting function and to establish a 
lower pressure in the building than outside the 
building, thus preventing outleakage through the 
walls and bypass of the filter system. 

The first function is to prevent burnable concentrations of 
hydrogen. The second function provides informatior to plant staff 
that could be useful for identifying and mitigac pg severe-accident 
situations. The latter two functional requi.er^. .3 could be just 
as important in that, if properly inpleme.ited ^/ .^ couH provide a 
margin of protection in the event that relea:e of hydrogen are 
greater than the assumed hydrogen source. 
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The contractor considered alternative approaches to hydrogen 
mitigation. Preinerting and distributed ignition systems, which 
are methods for hydrogen control used in cofflmercial reactors* were 
found not to be appropriate for the N-Reactor confinement system. 
The initial venting of the building atmosphere that occurs in the 
proper operation of the confinement system would defeat any 
preinerting system, and the confinement might not be able to 
withstand pressure pulses that could occur with a distributed 
ignition system* particularly for accidents involving large 
releases of hydrogen. This latter conclusion is consistent with 
the observation of pressure rises of many pounds per square inch in 
tests of ignition systems performed by the Electric Power Research 
Institute in a large-scale facility at the Nevada Test Site. 
Within the bounds of reasonable cost, there is no apparent 
preferred alternative to the concept proposed by the contractor. 

The Committee's overall assessment of the general approach to 
hydrogen mitigation is favorable. In indicating its agreement with 
the general approach to hydrogen mitigation at N Reactor, the 
committee is not rendering a Judgment as to the adequacy of the 
proposed system. Any judgment as to the adequacy of the system 
must be guided by an assessment of the general approach, careful 
analyses of the system under various hypothetical accident 
scenarios, evaluation of a detailed design, and construction and 
operation in compliance with appropriate safety standards. Because 
the analysis is only at a preliminary stage, this letter addresses 
only the first of these necessary factors. 

The oasic strategy of forced mixing to remove the potential 
for hydrogen pockets, monitoring of hydrogen at key points within 
the confinement, and the activation of an inert ing/exhaust function 
appears to us to be sound. Indeed, the approach may provide a 
margin to accommodate some uncertainty relating to the amount of 
hydrogen generated in an accident. However, as discussed further 
in this letter, there are aspects of the underlying analyses and 
certain potential limitations of the proposed system that deserve 
further careful evaluation. 

The principal aspects of the approach that merit further study 
or improvement may be briefly summarized: 

The system design is premised on a specific accident 
scenario. In the Committee' » view, the predicted 
performance of the mixing and inerting systems should 
be examined for a broader spectrum of accident 
scenarios and release rates for hydrogen. For 
example, the assumption of the continuing operability 
of the Graphite and Shield Cooling System (GSCS) in 
the event of an accident needs thorough 
examination, particularly in terms of any 
possible degradation of the GSCS in an accident. 




In the course of examining a broader spectrxim of 
accident scenarios and hydrogen release rates, the 
contractor should extend the mixing calculations to 
address localized mixing and combustion. In 
addition, the contractor should examine the geometric 
configurations near possible release points in order 
to assure that localized concentrations of hydrogen 
do not permit local detonations that could challenge 
the confinement or other safety systems. 

The capability of the filter system to withstand the 
loading of aerosols in an accident should be reviewed 
and, if necessary, the capability of the system 
should be upgraded. 

The survivability of vital sensors and mitigation 
equipment should be assessed. The equipment must be 
capable of operating in severe-accident environments 
characterized by wide variations in thermal* 
hydraulic, radioactive and inert aerosol loads, and 
high radiation fields. 

The operation of the system necessitates the 
discharge of noble gases to the environment in the 
event of an accident. Although the operation of the 
system would decrease the risk of failure of the 
confinement following an accident, its operation 
would result in potential increases in whole-body 
doses to persons outside the plant. Means should be 
investigated to assure satisfaction of the dose 
limits of 10 CFR Part 100 without relaxing the speed 
with which inerting takes place. Such an 
investigation should take into account recent 
research that shows that the actual quantity and 
chemical form of the fission products released in a 
severe accident would be quite different fron the 
source terms commonly assumed m such analyses m the 
past. 

The Committee recommends that these concerns be resolved before the 
implementation of the proposed approach. The detailed design 
should be subjected to an independent review before hardware 
installation. Careful review of other aspects of the system, 
including operating procedures and training, is also warranted. 
In addition, prior to installation, the contractor should aissess 
the effect of the proposed system on plant risk to determine 
whether the system would m fact result m lower risK to the 
public. 
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II. 

There ; -e a number of aspects of the proposed approach that 
warrant specific conment. 

The Design Basis For The System 

Th«k BQzident s-^^n^rio used as the design basis for the 
hydrogen-mitigation system was justified through a preliminary 
probabilistic risk assessment conducted by Los Alamos National 
Laboratory. In this scenario » the emergency core cooling system is 
assumed to fail following a large pipe break accident. An effort 
was made to be conservative in analyzing this accident and thus to 
provide for uncertainties, which at the present state of the 
analysis are substantial. The principal conservatisms in the 
analysis are the assumption of an unlimited supply of steam for the 
metal-water reaction (the source of the hydrogen) and the doubling 
of the hydrogen release that is calculated. 

In our view the accident scenario that provides the design 
basis for the mitigation concept is not unequivocally 
conservative. We thus recommend that further consideration be 
given to alternative accident scenarios. Two assumptions in the 
current analysis clearly warrant increased attention: 

The analysis assumes that the cooling system for the 
graphite moderator (the GSCS) would be fully 
operational following an accident. The assumed 
continued operation of the GSCS reduces the 
calculated rate of hydrogen generation. This 
assumption should be validated from either a 
probabilistic standpoint (i.e., low probability of 
GSCS failure) or a mechanistic analysis (i.e., that 
the hydrogen source resulting from failure or 
degradation of the GSCS can be accommodated by the 
mitigation system). 

The analysis assumes that only a small fraction of 
the surface area of the uranium fuel is available 
for oxidation after melting. This serves to limit 
the extent of the metal-water reaction and thus the 
amount of hydrogen that is evolved. This assumption 
could be a major source of non-conservatism m the 
present analysis. More model development and 
experimental validation are warranted. Similarly, 
further consideration should be given to the 
possibility of catalytic enhancement of the reaction 
of giaphite and steam, to the potential for 
fracturing of the zirconium oxide layer that is 
formed on the fuc^ during the presumed accident, and 
to the potential underestimation of the kinetics of 
zircaloy oxidation. 
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Although the Committee has concerns that the design basis for the 
hydrogen mitigation approach p»ay not be demonstrably conservative, 
we believe that the approach provides a margin which, if maintained 
in implementation, may accommodate higher hydrogen release rates. 

Hydrogen Monitoring System 

The monitoring of hydrogen concentration within 
subcompartments of the confinement building is important because it 
provides information on localized conditions that can guide 
decisions in an emergency. The hydrogen monitoring system that is 
currently being installed measures the concentrations of hydrogen 
and oxygen electrochemically in ten sampling locations in key 
regions of the confinement volume. The system will require at 
least 30 minutes to cycle through the ten sample points to sample 
the entire confinement atmosphere. 

The detection of hydrogen should not govern the activation of 
the hydrogen-mitigation system; the completion of the inerting 
function requires a mm»ber of hours and if it were not started 
until after hydrogen production is observed, it might be activated 
too late for the system to be effective. Furthermore, the 
30-minute cycling interval is definitely longer than desired even 
if the measurements are not the sole guide for the activation of 
the hydrogen-mitigation system. Given the importance of timely 
information on the status of the system in an emergency, the 
capability for more rapid measurement should be sought and 
achieved. In addition, it is important that a monitor be placed 
near the point of release of the vent lines that connect with the 
dump tank for the reactor's depressurization valves, since this is 
the most likely point of release of hydrogen from the primary 
system for certain kinds of accidents. 

Hydrogen Mixing System 

Studies by the contractor have indicated that hydrogen 
concentrations after an accident would be expected to uxceed the 
combustible limit (4 percent) in the small pressurizer penthouse if 
there were no forced mixing. The focus of the design for the 
mixing system, therefore, is to prevent the buildup of hydrogen in 
the penthouse. Redundant mixing fans with a capacity of 25,000 to 
40,000 cubic feet per minute would remove air from the front face 
of the reactor and discharge it to the penthouse. Return flow 
through cross vents would provide for mixing the major 
confinement volumes. 



If the assumed hydrogen source term and the mixing 
calculations are reasonably accurate, the proposed mixing capacity 
should be fully adequate to prevent burnable concentrations (other 
than very localized concentrations at the break location) within 
the confinement. However, it is unclear how much margin exists in 
other regions, such as the pipe gallery and steam generator cells, 
in the event that hvdrogen production rates should exceed the 
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postulated hydrogen release. Hence, the Comnittee recoimends more 
thorough evaluation of alternative accident scenarios and the 
uncertainties associated with calculations for hydrogen pocketing 
and stratification. 

The basis for the concept of the mixing system derives from 
analytical simulations of hydrogen mixing in the N-Leactor 
confinement which indicate to the contractor that, with the 
exception of the pipe^barrier space and penthouse areas, 
natural-convection currents would be sufficiently strong to yield 
an essentially uniform concentration of hydrogen throughout the 
confinement volume. Validation of these analytical tools and 
their applicability to the problem of hydrogen mitigation at N 
Reactor (particularly with regard to the different scales of 
hydrogen stratification '.hat may occur in the confinement) remain 
to be demonstrated. It is wej.1 known thac calculated results for 
mixing processes in large open compartments are influenced by the 
degree of nodal izat ion for lumped-parameter models and are subject 
to numerical diffusion errors for finite-difference codes. The 
Committee also recommends that the geometric configurations near 
possible hydrogen release points tcom the reactor coolant system be 
reviewed to assure that concentrations of hydrogen do not permit 
local detonations that could threaten the confinement or other 
safety systems. 

Inert ing/Exhaust System 

The proposed inerting system would consist of redundant trains 
of nitrogen, supplied from stored quantities of liquified nitrogen, 
at a rate of up to 20,000 cubic feet per minute. Activation would 
follow primary system depressur ization and the associated steam 
venting from the confinement following an accident. In order to 
allow the inflow of nitrogen without overpressurization of the 
confinement, an equal flowrate of air must be exhausted. In the 
proposed system, which has a nximum capacity of 23,000 cubic feet 
per minute, a negative pressure differential is expected to be 
achieved (relative to the atmosphere) shortly following the initial 
venting of the confinement. This has the benefit of reducing the 
subsequent direct outleakage of radioactive material through the 
walls of the confinement. This type of outleakage is a major 
contributor to the calculated doses, particularly thyroid doses, 
that are estimated in the current N-Reactor safety analysis report. 

The contractor's calculations at N Reactor indicate that at 
the r.aximum rate of nitrogen introduction, with accompanying 
displacement of air Iron the confinement, inerting could be 
complete (less than 5 percent concentration of oxygen) in about 3.5 
hours. Some hydrogen would also be displaced from the confinement 
by the nitrogen, further delaying the time required to achieve 
burnable quantities. 
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The Committee has examined the inert ing capability using a 
simple single-volume model and assuming instantaneous mixing. We 
applied the model to study a range of hydrogen release rates into 
the confinement. The calculation reveals that a margin is 
available to cope with larger releases of hydrogen than are 
generated in the design basis scenario. This margin, if it in fact 
were achieved in implementation of the approach, serves to 
alleviate somewhat the Committee's concern that the postulated 
accident that serves as the design basis is not unequivocally 
conservative. 

In order to achieve the extra margin, however, the system must 
be well mixed and the exhaust and inerting rate must be high 
(20,000 cubic feet per minute). The contractor did not provide 
adequate information to enable us to assess whether the mixing 
condition would be achieved, particularly for the steam generator 
cells. And care must be taken in implementation of the system to 
assure that rapid inerting can be achieved without accompanying 
releases that might compromise public health. 

The operation of the inert ing/exhaust system following an 
accident would discharge noble gases to the environment more 
rapidly than would the existing design, resulting in potentially 
higher whole body doses to individuals outside the plant. There is 
a direct tradeoff between the benefit of preventing hydrogen 
explosions through inerting and the cost of increasing the doses 
from noble gases. The implementation of the approach must provide 
a rapid inerting capability and assure compliance with the dose 
limits of 10 CFR Part 100. In this connection, it is important to 
recognize that assuring compliance with 10 CFR Part 100 involves 
uncertainties associated with operation of the ccnf ineiT^ent system 
that were not analyzed in the material provided to thri Committee 
(for example, the confinement vent valves, the sp'av system, the 
filters). 

Implemention of the contractor's proposal will also require 
careful reevaluation of the filter system. Higher exhaust flow 
could increase the aerosol loading on the filters and, hence, 
increase the likelihood of filter failure. Moreover, the decreased 
resiaence time of aerosols within the confinement system after an 
accident would decrease the effectiveness of the confinement sprays 
in removing aerosols from the atmosphere and thereby increase 
further the threat to the filter system. The potential aerosol 
source term; the spray effectiveness in the removal of aerosols, 
and the failure criteria for overloading of the filters require 
careful examination by the contractor. 
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Other potential failure modes of the confinement system that 
stem from the activation of the hydrogen-mitigation system also 
warrant scrutiny. For example, the injection of cold nitrogen into 
the confinement in conjunction with operation of the fan exhaust 
system could reduce the pressure in the confinement, possibly 
challenging the structure. Careful examination of the interaction 
of the hydrogen-mitigation system with the confinement design and 
operation is necessary. 

Finally, it should be recognized that, as with any inerting 
system, there is a possibility of accidental actuation. Careful 
controls must be employed to prevent inadvertent actuation of the 
system and to alert personnel located in the building in the event 
it occurs. 

Design, Control System, Procedures, and Training 

The hydrogen mitigation concept has not developed to the point 
at which the details of the design, the control system, the 
operating procedures, and the training programs can be assessed. 
It is clear, however, that successful implementation of the concept 
must rely on the careful development and implementation of these 
elements. Accordingly, we recoiranend a detailed independent review 
of each of these elements. 



We hope that these comments are helpful. Please feel free to 
contact the Committee if we can provide any further assistance. 




Chairman 



cc: Joseph F. Salgado 
Janes F. Decker 
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Appendix H 
Structure of the DOE Safety System: 
Technical Discussion 



This appendix describes the general system that is used to 
establish and assure the safety of the nation's defense production 
reau:tors. 

The U.S. Department of Energy (DOE) has established a 
safety system for the production reactors that has three major 
elements: 

• A safety objective; 

• Orders that prescribe the means for achieving the objective; 

and 

• A process for ensuring and verifying compliance. 

The committee concludes, based on the examination that follonv^ 
that DOE's conception and implementation of each of these ele- 
ments is less comprehensive, understandable, and consistent than 
is desirable. 

The safety system is highly complex. No single document 
describes the structure of the system as a whole. Nor is there a 
single source for DOE's safety objective and operating standards. 
These derive not only from the Department's Orders, but also 
from legislation, field office directives, contracts, award fee eval- 
uation plans, contractor performance goals, safety and hazards 
analyses, technical specifications, technical and process standards, 
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test authorizations, and various types of appraisal reports. To 
attenript to capture the essence of the safety philosophy reflected 
in this large volume of material is not a trivial undertaking. The 
discussion that follows, therefore, is net intended to be compre- 
hensive; it merely aims to illustrate some of the major features of 
the DOE safety system in order to provide a basis for some general 
conclusions. 

SOURCES OP DOE'S SAFETY OBJECTIVE AND 
STANDARDS 

DOE's safety objective and standards encompass a diverse set 
of requirements. They range from highly abstract, basic safety 
principles to narrow technical operating limits governing the day- 
to-day operation of the reactors. However, as discussed below, the 
overall system is built upon a single, fundamental preimse that 
was established in legislation over 40 years ago. 

Legislation 

In operating the production reactors, DOE and its contrac- 
tors must comply with a variety of federal statutes, including the 
Occupational Safety and Health Act, the National Environmental 
Policy Act, and the Clean Air and Clean Water acts, to name 
a few. However, DOE's safety system derives from the Atomic 
Energy Act of 1954, as amended [l]. 

The Atomic Energy Act of 1954, as amended, is the primary 
statute governing the ownership and control of nuclear materials 
and nuclear reactors, both commercial and defense-related. Yet 
most of the specific provisions of the Act— and all of the licensing 
and related regulatory requirements— apply solely to commercial 
reactors regulated by the Nuclear Regulatory Commission (NRC); 
they are not applicable to those operated by DOE. Moreover, other 
than charging DOE to assure the protection of public health and 
safety. Congress has left to DOE's discretion the manner in which 
this responsibility is to be achieved. Consequently, the system 
for ensuring the safety of the defense production reactors has 
developed quite separately, and differently, from that established 
for commercial reactors. 

The nation's basic policy concerning the need for the produc- 
tion reactors is spelled out in a series of congressional findings in 
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the Atomic Energy Act. The relevant provisions of the act state 
the following: 

• The development, utilization, and control of atomic energy 
for military . . . purposes are vital to the common defense 
and security. [Sec. 2a] 

• The processing and utilization of source, byproduct, and 
special nuclear material must be regulated in the national 
interest and in order to provide for the conmion defence 
and security and to protect the health and safety of the 
public. [Sec. 2d] 

• Source and s^ <K:ial nuclear material, production facilities, 
and utilization facilities are affected with the national in- 
terest, and regulation by the United States ... is necessary 
in the national interest to assure the common defense and 
security and to protect the health and safety of the public. 
[Sec. 2e] 

The objective of protecting the public health and sn ty ap- 
peetrs in all subsequent legislation pertaining to DOE's nussion. It 
was contained in the statute that established DOE's predecessor, 
the Energy Research and Development Administration (ERDA), 
wherein ERDA was chiirged with operating the agency "... to 
advance the goalb of restoring, p otecting and enhancing environ- 
mental quality, and to assure public health and safety." [2j And 
the same broad goal appeared in the DOE Organization Act of 
1977, which stated that DOE*s mission was to include . . incor- 
poration of nation al environmental protection goals . . . and . . . 
the goals of . . . assuring public health ana safety." [3] 

It is clear, theretore, that DOE's overriding responsibility with 
regard to the production reactors is protection of public health and 
safety. It is important to recognize, however, that Congress gave 
DOE nearly complete discretion to determine h'^^y it should go 
about protecting the public. 

Department Orders and Directives 

The DOE regulates the production reactors by prescribing 
"Orders" that, as a result of contractual provisions, must be fol- 
lowed by the contractors. (Table 1.1 in Chapter 1 presents a list 
of the main safety-related DOE Orders currently applicable to the 
production reactors.) 
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The DOE Orders set forth requirements for the production 
reactors either directly, in the form of specific provisions in the 
Orders, or indirectly, by reference to standards established else- 
where. These requirements define how the Department expects 
public health and safety to be assured. They establish a set of pre- 
scribed activities and goals, including the identification of poten- 
tial hazards and their consequences [4]; assurance that reasonable 
measures are taken to eliminate, control, and mitigate hazards 
[4]; reduction of identified safety and health risks, where possible, 
whether mandated by specific requirements or not [5]; and opera- 
tion, maintenance, and modification of the reactors in accordance 
with standards consistent with those applied tc comparable li- 
censed reactors. [6] These various activities can be summarized in 
terms of two major safety objectives: (1) to establish comparabil- 
ity of the production reactors with commercial licensed reactors, 
and (2) to effectively identify, prevent, and mitigate production 
reactor risks. How these objectives relate to one another is unclear. 
What is clear is that the Department's approach depends entirely 
on judgments and interpretations of what such terms as "ade- 
quate protection," ''reasonable measures," and "conparability" 
with licensed reactors may mean.^ 

The DOE Orders identify standards — programs actices, 
procedures, and other guidelines — that the contra* are ex- 
pected to follow to achieve the Department's objective .lese are 
of two principal types: "mandatory" and "reference" standards. 
DOE has standards covering the foUowiug general areas of reac- 
tor safety: training and qualification of reactor personnel, plant 
operations, safety system modifications, safety analysis, technical 
specifications, quality assurance, materials storage and handling, 
reporting requirements, unusual occurrences, emergency planning, 
administrative controls (internal review and appraisal system), fire 
protection, radioactive waste management, and radiation protec- 
tion. 



^The Department's Orders and field organisation directives differ com- 
pletely from the requirements imposed by the Nuclear Regulatory Commis* 
sion on commercial reactors. The NRC's policy stateirsnts, rules, standaid 
review plan, regulatory guides, criteria, and bulletins and orders are far 
more self-explanatory, detailed, comprehensive, and consistent than the re- 
quirements in the DOE Orders. Moreover, the NRG has a more elaborate 
and forma) process for back&tting newly developed regulations on existing 
reactors. 
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The DOE Orders make limited reference to ccinmercial re- 
actor standards. Moreover, with the exception of those Orders 
governing reactor modification, in which the contractors are re- 
quired to meet the NRC's standards for acceptable doses at the 
site boundary during normal operations and during accidents (10 
CFR 100), the direction to meet NRC and commercial industry 
standards is generally either so qualified or so ambiguous as to raise 
doubt about the extent to which they are applicable. For instance, 
the training and qualification of reactor personnel are supposed 
to meet ANS standard 3.1 . . to the extent appropriate." [6] 
The relevant NRC regulatory guide . . shall also be considered." 
Plant modifications only have to meet the NRC's general design 
criteria (10 CFR 50) if and when DOE . . determines that safety 
can be significantly improved." [7] Contractors are required to 
document technical specifications, but the technical specifications 
themselves only have to be . . similar to those required for com- 
parable facilities licensed by the NRC. . . ." [6] Although a DOE 
Order states that an ANSI/ASME industry standard for quality 
assurance programs . . is the preferred standard for quality as- 
surance," the order elsewhere states that DOE encourages . . 
the judicious and selective application of elements of appropriate, 
recognized standards" for quality assurance programs. [8] 

DOE Order 5480.4 specifically addresses the question of stan- 
dards. It defines five sets of industry codes as "mandatory Envi- 
ronment, Safety and Health (ES&H) standards" that are required 
as a matter of DOE policy, but only if and when DOE determines 
that their application would increase safety. To our knowledge, 
no formal documentation of such a finding has ever been made. 
In addition, DOE Order 5480.4 lists many "reference ESkU stan- 
dards," which are described as "referenc s on good practice." But 
the reference standards have no specific or prescribed relationship 
to the DOE regulatory process nor are they implemented in a 
timely fashion. 

Contracts 

Du Pont operates the Savannah River reactors under a con- 
tract with the Department of Energy that was last revised in 
October 1984. [9] Prior to June 29, 1987, UNC Nuclear Industries 
operated the N Reactor ander a similar contract with DOE. [10] 
Excerpts from these contracts are presented in Appendix I. 
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The Du Font-DOE and UNC-DOE contracts have a number of 
significant differences. First, the two contracts estabUsh different 
financial arrangements between the parties. Du Pont operates 
Savannah River on the basis of a cost plus one dollar contract, 
while UNC has a cost plus incentive contract. The contract would 
have allowed UNC to have earned up to $4.9 million above costs 
in fiscal year 1987. [26] 

Second, there are significant differences between the provisions 
of the contracts that relate to reactor safety. For example, the Du 
Pont-DOE contract incorporates language that emphasizes DOE's 
public health objectives. The contract includes the statement 
that Du Pont must . . take all reasonable precautions ... to 
protect the health and safety of employees and of members of 
the public and to minimize danger from all hazards to life and 
property." [12] Du Pont is also required "... to exercise a degree 
of care commensurate w:th the risk involved," [13] and "... to 
use all reasonable efforts to carry out the project and to attain the 
objectives thereof." [14] But the specific reactor safety provisions 
of the Du Pont-DOE contract are more complicated than similar 
provisions of the UNC-DOE contract (see Appendix I). These 
more specific provisions have led to delays in implementing certain 
DOE Orders at the Savannah River site. These delays have arisen 
because of confusion and disagreements as to whether certain 
Orders relate to "reactor safety." The categorization of the Orders 
is significant because of a provision [U] in the Du Pont contract, 
which has no counterpart in the UNC contract, that provides that 
only those Orders relating to reactor safety necessarily apply at 
Savannah River. Moreover, unlike the UNC contract, the Du Pont 
contract continues to contain a provision dating from 1950 that 
. . attainment by the Contract of the objectives of the [Savannah 
Fiver] project cannot be a - jred." [14] 

The Du Pont contract also differs from the UNC contract in 
that it specifically refers to DOE's objective of achieving com- 
pel ctoility with commercially licensed reactors. Thus, Du Font's 
scope of work includes the provision that Du Pont will maintain 
"... a continuing campaign to increase safety in reactor operation 
with special emphasis on the equivalence of production reactors to 
licensed reactors." [15] 

Finally, the Du Pont contract appears to give Du Pont much 
greater latitude than is afforded to UNC in its contract with DOE. 
The Du Pont contract appears to give Du Pont somewhat greater 
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flexibility in determining; whether a particular safety issue has 
arisen, whether certain information must be reported to DOE, 
and whether a particular provision of the contract is invoked. 

Operations Dhrectiyes 

On a semiannual basis, DOE also issues so-called "operations 
directives" to the production reactor contractors. These directives 
are considered an integral part of the basic contract. [16] Oper- 
ations directives further define the scope of work under the con- 
tract and provide a list of prograrmnatic goals and, in some cases, 
timetables for the completion of activities that the contractor has 
agreed to undertake (e.g., reactor operation, fuel fabrication, con- 
struction, and so on). 

There is substantial overlap between the operations direc- 
tive° issued by the DOE Richland field oflRce ai. 1 the performance 
evaluation criteria discussed in the section below. The FY 1986 
Operations Directives relating to operation of N Reactor are listed 
in Table H.l. 

Award Fee EyaluationB 

DOE has a specific vehicle for defining safety objectives and 
imposing standards on UNC (and more recently on Westinghouse 
Hanford) that it does not have available to it in dealing with Du 
Pont. As noted above, the UNC contract provides for monetary 
"award fees" that DOE has agreed to pay to the N-Reactor con- 
tractor if its performance during a six-month period meets certain 
preestablished criteria. These preestablished performance criteria 
are spelled out in a "performance evaluation plan" [17] that is 
issued by DOE's Richland field office at the beginning of each per- 
formance period. In the last few years, as an inducement to better 
contractor performance, DOE has placed increased emphasih on 
the award fee process. [18] Thus, from FY 1985 through FY 19S7 
the amount of additional money that UNC could earn from award 
fees more than tripled. [19] 

Over the same period, DOE's performance evaluation criteria 
have become increasingly numerous and more specific. For the 
first six months of FY 1987, for example, there were over 115 
items included in the plan. [17] These criteria deal with such areas 
as general management; environment, safety, health, and quality 
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TABLE H 1 Examples of FY 1986 Operations Directives for N Reactor 



1. Operate and maintain N Reactor and support facilities in a safe, 
secure, and environmentally sound manner to achieve an FY 1986 
production goal of 705 KMWD, with less than 24 unscheduled outage 
days. 

2. Achieve 1.65 BKWH steam production during the period of November 
1, 1985, to March 1, 1986. 

3. Achieve full beneficial use of the Operations training simulator 
by December 1985. 

4. Improve the management of refueling and maintenance outages. 
Improve charge/discharge efficiency by 10 percent. 

5. Achieve substantial improvements in the quality of the front-end 
engineering and design work through increased end user 
involvement. 

6. Meet the following Production Assurance Program milestones: 

a. Issue annual surveillance report by February 1986. 

b. Issue Production Assurance Program assessment, including an 
updated program plan and current technical assessment, by 
September 1986. 

c. Demonstrate capability of 4000-toi. press to extrude N-Reactor 
pressure tubes by September 1986. 

7. Design a manual refueling machine by SeptJ>mber 1986 

8. Perform the planning, coordination, design, ^alysis, and 
development, aa specified in the N-Reactor Tritium Program Plan, 
necessary to develop a contingency plan fo * alternative product. 

9. Complete preliminary studies for Projects A-676, H-684, H-757, 
and H-758 by December 1. 1985, of the P -oductivity Retention or 
follow-on program. 

10 Achieve substantial improvements in thr quality, planning, and 
supervision of N-plant maintenance suc'a that the FY 1986 
production is not reduced through mafntenancj error, and repeat 
maintenance (throufh failure to do a .ob nght the first time) is 
eliminated. 

11. Improve maintenance effectiveness by reducing total maintenance 
backlog during FY 1986. (This includes planned and unplanned 
work authorisations for repair maintenance, modification 
maintenance, and EMS/PM maintenance.) 

12. Improve the preventive maintenance program by fully implementing 
the automated equipment history program by September 1986. 
preparing or revising a total of 400 PM procedures for FY 1986 by 
September 1986, and by continuing to implement the materials 
management plan such that production is not reduced through lack 
of spare parts. Complete a total of 80 percent green-tagging of 

all N-Reactor material in 3101-M Building by September 1986. 

13. Reduce time required during reactor outages for performance of 
equipment testing procedures by resolving at least 360 reported 
problems (feedbacks) associated with outage-related surveillance 
test procedures by September SO, 1986. 

14. Improve the effectiveness of Reactor Engineering by significantly 
reducing backlog levels of drawings that require as -built, 
Engineering Planning Request, and nonconformance reports. 
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TABLE H.I cont'd 



IK TnHirate incre&sed emphftsil and support for the ISI Program by 
preparing, r^vining^ and performing ISIi at a rate lufTicient to 
support long-term goali. 

16. Complete program plan update for Productivity Retention Program 
by January 1, 1986. 

17. Develop a long-range plan for N Reactor and supporting 
facilities that forms a basis for facility and operating 
planning. Complete plan by January 1986 to support FY 1987 
budget submittals. Maintain the Facilities Upgrade Management 
Plan current with approved/authorised expense, capital 
equipment, and PACE (<^W0. OPP, Line Item) funded projects and 
activities. 

18. Complete FY 1986 milestones in PCB Waste Management Plan for the 
Hanford . 

19. Complete critical operational and safety post-startup punch list 
items and resume operation of the 107-N Basin Recirculation 
Facility by completion of ficheduled January 1986 outage. 

20 Continue program to reduce the N Basin source term. 

21. Charaterisc performance of 1325-N cribs and trench and determine 
expected life. 

22. Conduct operations and environmental monitoring and surveillance 
so that no NPDES violations occur in FY 1986. Respond to DOE 
requests for documentation to support NPDES permit renewal. 

23 Complete program plan for update for N-Reactor Tritium Program 
by December 31, 1985 



assurance; automatic data processing; reactor operations; reactor 
support; security; programs and projects; fuel operations; safety 
enhancement program; surplus facilities management program of- 
fice support; Hanford decommissioning; Shippingport Station de- 
commissioning project; and construction. 

Some of the performance evaluation criteria represent very 
broad objectives, such as optimizing the use of available resources, 
while others involve highly specific te^ks, such as installation of 
specific equipment or delivery of particular documentation or anal- 
yses to DOE. Many of the more specific items have prescribed dates 
of completion. 

It is difficult to distinguish the award fee criteria from what 
one would think UNC would be required to do merely to comply 
with existing DOE Orders. Furthermore, although the award fee 
process provides another mechanism for inducing the N-Reacto; 
contractor to achieve DOE's safety objectives, it is almost im- 
possible to compare this system to the completely different set 
of incentives in place at Savannah River where profit is not an 
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issue. (Tables H.2 through H.5 present selected award fee criteria 
applicable during the first few months of FY 1987.) 

Appraisals 

DOE has also established and imposed standards on the pro- 
duction reactors through headquarters and field office appraisals 
of contractor performance. 

Prior to the Chernobyl accident, comprehensive DOE head- 
quarters appraisals of either the DOE field offices or the contrac- 
tors' reactor safety programs were only infrequently conducted. 
For example, in the six years prior to the accident there were only 
two such appraisals at Savannah River and only one at Hanford. 

(2c; 

The extent of aeadqudrters' involvement with the DOE field 
organizations seems to have begun to change with the appointment 
of a new Secretary of Energy in 1985. One of the new Secretary's 
first acts was to request a review of the soundness of the Depart- 
ment 's ES&H programs. That review [21] ultimately led to the 
consolidation of the Department's ES&H functions under a single 
Assistant Secretary and to the initiation of what was expected to 
be a short-term program of headquarters' appraisals of the field 
office and their nuclear contractors. These were to be under the 
direction of the new Assistant Secretary and her staff, and a sched- 
ule for the technical safety appraisals was drawn up in the months 
preceding the Chernobyl accident. [22] 

The Chernobyl accident prompted DOE to accelerate its 
schedule of appraisals and to organize teanns of outside experts 
to conduct additional reviews: separate design reviews of the Sa- 
vannah River and N reactors [23,24]; a special safety review of the 
confinement and graphite characteristics of the N Reactor [25]; 
six independent reports on the overall safety of the N Reactor by 
a group of outside experts (the so-called Roddis panel) [26-31]; 
and the review by this committee. The reviews conducted during 
1986 represented the first thorough and independent evaluation of 
the production reactors since the breakup of the Atomic Energy 
Commission more than a decade earlier. 

The 1986 headquarters appraisals of the production reactors 
largely supplanted a variety of appraisals normally conducted over 
the course of the year by the DOE field offices. As discussed fur- 
ther in the section below, previous appraisals by the local DOE 
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TABLE H.2 DOE-UNC Awftrd Fe« Criterift and Stmndardi for Environment, 

Safety. Health, and Quality Auurance. October 1, 1Q86 - M^rch 31, 

1987 



Environment, Safety, Health, and Quality Assurance Criterion: 
Continue to conduct effective quality assurance, emeigency 
preparedness, environmental, safety, and health protection programs 
in compliance with DOE directives. This includes continued emphasis 
on ALARA in reducing personnel exposure to radiation and minimising 
'-.umbers of skin contamination cases. 

Evaluation Standards: 

1. By November 30, 1986, submit a plan and schedule for 
implementation of the new revisions to the OSHA asbestos 
requirements in Richland 5480.10 29 CFR 1910.1001 and 1926.58. 
The schedule should be coordinated with HEHF and result in a 
fully functional program by January 30, 1987. Emphasis must be 
placed on removal of asbestos. 

2. By November 30, 1986, submit a plan and schedule for the 
implementation of an improved respiratory protection program to 
include qualitative person fit testing, and job-speciflc 
rei^pirator trstining. Aspects of the program should be 
coordinated with HEHF and result in a fully functional program 
by March 30, 1987. 

3. Demonstrats effectiveness of programs through superior safety 
performances and compliance with environment, safety, and health 
requirements, including ALARA. 

4. Strengthen the ALARA program to include increased accountability 
and involvement of operations personnel in the overall reduction 

of total person rem. 

5. Develop a plan to identify and minimise signiric«nt radiation 
source terms for reduction to achieve overall lowering of 
radiation exposure to personnel. 

6 Provide and implement a plan by March 31, 1987, to update NUSAR 
on a continuing basis to nr^et DOE Orders and plant needs. 

7 Continue the Technical Specification Update Program working off 
known deficiencies and plant needs on a priority basis. Assure 
that changes to technical specifications are consistent with the 
Safety Analysis Report. 

8. Establish a system for trending conditions adverse to quality, 
and for obtaining correction of the root causes of adverse 
trends. By October 31, 1986, develop and present formally to 
DOE a challenging, but achievable, schedule for development and 
implementation of this program. 

9. Establish and implement an audit and surveillance schedule that 
provides comprehensive coverage of all important functions. 
Provide to DOE evidence that this program has found problems, 
required examinations of the underlying causes, and ensured 
timely correction of underlying causes. 

10. Develop and adhere to a challenging, but achievable, schedule 
for issue of all necessary implementing procedures for Quality 
Assurance requirements. Present this schedule to DOE by October 
31, 1986. 



TABLE H.2 cont'd 



11. £UtBbli«h mnd implement definitive mnd detailed Quality 
Asiurance plitns for project! undertaken by UNC. Review existinf 
project! for wt aknetMa and r%viM existinf plans as appropriate 

to ensure that responsibilities can be traced to individual 
organisational positions and that the specific procedures for 
accomplishing the elemenU of the plan are identified. By 
October SI, 1986, present to DOE a challenging, but achievable, 
schedule for accomplishment of this objective, including an 
assessment of the scope of work involved. 

12. Reevaluate current UNC procedures and practices with respect to 
Nonconformance Report's and Design Changes. Clarify for 
lUchland the decision criteria that allow some changes to the 
physical plant to not be categoriaed as Design Changes or 
Nonconformance Reports. The explanation should be in the 
context of the requirements of NnA-1, and analogies to 
commercial industry practices are to be provided. Provide 
clarification to DOE by November 14, 1986. 

13. Develop a system that brings delinquent corrective action for 
audit findings. Corrective Action Requests, and significant 
issues directly to the attention of top management. Implement 
the system uid present to Richland by January 5, 1987. 



TABLE H.S DOE-UNC Award Fee Cnteria and Standards for Reactor 
Operations, October 1, 1986 - March 31, 1987 



Reactor Operations Criterion: Effectively manage N Reactor and 
support facilities to assure safe, reliable, and cost-effective 
attainment of production goals. 

Evaluation Standards: 

1. Meet operation directives and Cost Allocation Plan milestones. 

2. Meet all the production goals as established in the fiscal year 
baseline document (600 KMWD, 3.092 BKWHE). 

3. Achieve 1.65 BKWHE during the bonus period from November 1, 1986 
through March 1, 1987. 

4. Complete all the outages as scheduled with planned scope of work, 
maximising production goals. 

5 Demonstrate improved operation. Operator error caused shutdowns 
not to exceed two with target to achieve sero. Accomplish 50 
percent reduction in unscheduled shutdowns over FY 1986. 

6 Maintain shipment of fuel to PUREX that is cons^itent with run 
plan and is not impacted by lack of adequate support services. 

7. Perform startup readiness activities in compliance with 
efitaMished proce4Zure. 
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TABLE H.4 DOE-UNC Award Fee Criterift and Standards for Operation! 

Support, October 1, 1986 - March 31, 1987 



Reactor Operations Support Criterion: Conduct operations support 
activities to achieve Cost Allocation Plan milestones and to assure 
that maintenance, training, engineering^ and other services res It in 
continued safe, secure, quality, cost-effective attainment of 
production goals. 

Evaluation Standards: 

1. Meet Operation Directives and Cost Allocatic ^ Plan milestones. 

2. Demonstrate improved planning, scheduling, and performance with 
emphasis on coordination and timeliness to assure efficient 
utilisation of resources and achievement of program requirements. 

3. Perform trend analysis to identify root problems and implement 
appropriate corrective actions. 

4 Demonstrate improvement in procedural compliance emphasising 
reduction of personnel errors. 

5. Strengthen and document the current design change review process. 

6. Demonstrate that training programs are managed in a 
cost-efficient manner which results in improved management^ 
operation, and maintenance of facilities and programs. 

7 Achieve industry credibility of certified operator/supervisor 
training programs as compared to current INPO accreditation 
criteria. Complete a self-evaluation of training programs to 
INPO criteria by January 30, 1987. Submit a plan to implement 
programs meeting criteria by March SO, 1987. 

8 Contmue implementation of the N-Reactor Inservice Inspection 
(ISI] and Inservice Testing Plan (ITS) as specified by UNI-1997 
and the N-Reactor Technical Specifications, for Class I only. 



offices typically consisted of audits aimed at verifying compliance 
with DOE Orders. There have also been particular cases in which 
the local offices used industry standards that pre not mandatory 
DOE requirements as criteria for appraising contractor perfor- 
mance. [32] In sum, the local field office appraisals are yet another 
mechanism by which DOE can promote the adoption of new stan- 
dards at the production reactors. Local DOE field office staff 
informed the committee in interviews that they viewed DOE Or- 
der 5480.1, which refers in passing to the Department's objective 
of comparability with commercially licensed reactors, as providing 
the authority to employ NRC and commercial standards in assess- 
ing contractor performance, whether or not those standards are 
specifically cited in DOE Orders. [33] 
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TABLE H.5 DOE-UNC Award Fee Criteria and Standards for the Safety 
Enhancement Program, October 1, 1986 - Murch 31, 1987 



Safety Enhancement Program Criterion: Develop and execute a program 
to implement safety review rerommendationi. 

Evaluation Standards: 

1. luue flnal program plan by October 17, 1986. 

2. Develop activity schedules by January 1, 1987, maintain quarterly 
progress consistent with program plan, and maintain overali 
program schedule variance within two veeks— excellent, three 
weeks— very good, and four weeka— satisfactory. 

3. Complete development and testing of the N-Reactor System Analysis 
(RELAP5) and Containment Analysis Code (HECTR) set—March 1, 
1^87. 

4. Update five-year core surveillance plan— February 1, 1987. 

5 Issue N-Reactor 1986 Annual Surveillance Report— February 28. 
1987. 

6. Complete qualification testing of pressure tube NDE equ'pme'-: - 
March 31, 1987. 

/. Complete evaluation of Inte<^m Installation Helium Gas S, stem 
Chromatograph Performance by March 31, 1987. 



VERIFICATION OP COMPLIANCE 

There are several types of appraisals and audits conducted by 
the local DOE field offices. These include functional appraisals, 
operational readiness reviews, incident reviews, and quality assur- 
ance audits. These appraisals, reviews, and audits are typically 
conducted by fewer than three members of the field office staff. 

The frequency with which the local DOE offices conduct the 
various types of appraisals depends upon the particular appraisal. 
Functional appraisals are expected to occur on a schedule that 
is drawn up at the beginning of the fiscal year. However, such 
schedules often are revised as the year progresses in order to 
make allowance for changes in staff availability, which is severely 
constrained both because of the small number of safety staff in 
the DOE local offices and because of the large number of facilities 
that must be appraised at each site. For these reasons, there 
have been severe fluctuation? from year to year in the number 
of appraisals conducted, and extended periods of time between 
appraisals covering particular areas of reactor safety. 

Operational readiness reviews are conducted prior to reactor 
startup during extended outages. The frequency of these reviewc 



236 

is strictly a function of the production cycle. Incident reviews, 
of course, are ad hoc in nature and are conducted on a sched- 
ule determined more or less by the frequency of incidents at the 
reactors. 

The criteria that are used to conduct DOE field office ap- 
praisals are also a function of the type of appraisal. The func- 
tional appraisals examine contractor performance in a particular 
area of reactor safety, such as maintenance training [34], cri^icality 
control [35], technical specifications [32], or operator training [36]. 
The criteria for these appraisals are either standards prescribed in 
bhe DOE Orders or standards that are generally applicable in the 
commercial reactor industry. Operational readiness reviews are 
much narrower in scope; they are aimed primarily at assessing the 
degree of compliance with operating procedures during the previ- 
ous production run or compliance with maintenance and job plans 
for work conducted during that outage. DOE field offices have for- 
mal protocols for conducting functional appraisals and operational 
readiness reviews. By contrast, the reviews of reactor incidents do 
not seem to follow formal procedures, and do not appear to be es- 
pecially probative. (58, 59] They tend to involve judgments by the 
local DOE staff concerning whether the contractor is rer/onding 
to an incident in a way that the staff feels is appropriate. [33] 

It is difficult to predict whether the appraisals organized by 
DOE headquarters this past year will prove to have been effective 
in achieving the various purposes for which they were organized — 
verifying compliance with DOE Orders, establishing comparability 
with licensed reactors, and achieving a high level of safety. In Oc- 
tober 1986, in response to the Technical Safety Appraisal and the 
Design Review, the N-Reactor contractor developed a plan for 
a Safety Enhancement Program. [60] That plan was broadened 
in December, upon release of the Roddis panel findings, and a 
schedule for implementing the recommendations of all three safety 
reviews conducted at N Reactor wa^ accelerated. [61] A previously 
planned outage of the N Reactor was extended from three months 
to six months in order to implement, or begin implementing, the 
various recommendations. Congressional action prompted a fur* 
ther extension of the outage at least another three months. [62] 

Savannah River produced a similar ''combined appraisal re- 
sponse" to the recommendations of the Technical Safety Appraisal, 
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the Design Review, and a headquarters Quality Assurance ap- 
praisal. [63] Althougn the contractor's response indicates that vig- 
orous work is under way to upgrade the safety of the Savannah 
River reactors in line with the recommendations, a significant 
number of the contractor's responses merely indicate that an issue 
will receive further study. Such a response might be more reas- 
suring were it not for the fact that DOE has previously identified 
areas needing remediation that the contractors have not fully ad- 
dressed. For example, some of the functional appraisals conducted 
in the last three years at Savannah River cite recommendations 
that DOE or its predecessors made several years ago but have not 
been fully resolved by the contractor, one for as long as a decade. 
[37,38] 

Delay in implementation is not unique to Savannah River. Im- 
plementation of standards is also slow at N Reactor. One instance 
of significant delay in application of standards at N Reactor relates 
to the environmental qualification of reactor electrical equipment. 
In 1984 the contractor at the N Reactor hired the General Elec- 
tric Company (GE) to assess the need to environmentally qualify 
certain systems at N Reactor. GE submitted a report in March 
1986 [39] that stated that some systems would need to be qualified 
to meet the applicable standards. The contractor's environmental 
qualification program has been incorporated into the N Reactor 
accelerated safety enhancement program [40], but it will be several 
years before all of the equipment in the plant can be reviewed to 
determine what needs to be upgraded to meet the standard. [41] 
Obviously, such delayed application serves to limit the effectiveness 
of the standard in assuring safety. 

The conmfiittee found indications that DOE does not vigor- 
ously ensure that all of the requirements imposed by its Orders 
are implemented in a timely manner. In some cases, as noted in 
the main body of the report, DOE has extended formal waivers of 
certain requirements. 

For example, in 1977 the operating contractor at N Reactor 
suggested a better system for the control of liquid effluents, but 
DOE did not accept the UNC proposal. [42] On March 20, 1984, 
however, DOE transmitted an Order (DOE Order 5820.2) to UNC 
that stated, in effect, that a discharge of liquid effluents to the sand 
cribs at the N Reactor was unacceptable. [43] DOE directed that: 
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Dbposal operations involving discharge of liquid Low Level Waste 
(LLW) directly to the environment or on natural soil columns 
shall be replaced by other techniques such as solidification prior 
to disposal or in-place immobilisation, unless specifically approved 
by Heaas of Field Organisations, in consultation with [DOB head- 
quarters]. 

The Order has still not been applied to N Reactor, however, 
because a waiver was granted authorizing continued use of the 
cribs. [43,44] In light of the $80 million to $100 million cost to 
upgradt, the effluent control system and the limited lifetime of the 
facility, it is possible that t,he waiver will be extended throughout 
the remaining Vie of the reactor. 



DOE'S OBJECTIVE OF COMPARABILITY 

The design, construction, and early operation of DOE's pro- 
duction reactors preceded the establishment of commercial reactor 
regulations. Furthermore, tY * production reactors themselves dif- 
fer significantly from commercial reactor types. These considera- 
tions have made it impractical to adopt, directly, NRC regulations 
for application ^o DOE production reactors. Nonetheless, as noted 
above, over the years DOE hab publicly stated that one of its gen- 
eral safety objecti/es is to ensure that DOE nuclear facilities are 
safer thar, or at least as safe as, comparable NRC licensed facili- 
ties. 

The stated DOE objective of comparability with commercial 
reactors emerged in the 1960s, in the early years of commei- 
cici reactor licensing. The agency asked the contractors for the 
production reactors to conduct safety analyses using the safety 
philosophy on which the licensing procej^ was based. [45-48] The 
purpose was to determine whether modifice^tions to the production 
reactor3 were needed in order to achieve the same level of safety 
required of commercial reactor license applicants. 

After these early reviews of comparability, .he safety philoso- 
phy used to oversee the production reactors bec&me essei lally 
the same as that used to regulate commercial react rs. Ti;is 
safety philosophy is based on the concept of ^design-basis" ac- 
cidents. Design-basis accidents are hypothetical accidents that 
are defined to establish design .^quirements and set operating lirr 
its for the plant^ Thes^ accidents were not defined aa the most 
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severe accidents that could be envisioned, but rather were less se- 
rious accidents that, although viewed as improbable, were credible 
occurrences. A "single failure** criterion was also used in assessing; 
designs. A safety system was to be available to perform its func- 
tion even if one active cor ponent of the system was assumed to 
have failed, in addition to whatever failures were assumed to have 
initiated the postulated accident. The purpose of the single failure 
criterion was to promote reliability by requiring redundancy and 
diversity in systems that must mitigate accidents: either two sep- 
arate and mdependent systems of each kind, or a backup system 
capable of saving the reactor if the primary system were t/j fail. 
The use of these principles in the review of the production reac- 
tors, sometimes years after the plants were constructed, has led 
to the installation of important backup safety systems and other 
safety equipment upon which the safety of these reactors currently 
depends. [49] 

Today, the objective of comparability is included in DOE 
Orders (6], in the Du Pont contra* at Savan* ah River [15], and in 
contractor safety analyses. (SO-S*^ t has ak*c been used by DOE 
headquarters and the DOE fie offices to evaluate contr vctor 
peiformance in selected technical -ea*' i3,53] Yet to date there 
has been no consistent or clear specie. . on of what comparability 
means, nor of the methods to demonstrate that comparable levels 
of safety are in fact being achieved. Thus, although comparability 
has been a useful tool over the years that has led to improvements 
in safety systems in the production reactors, it has not served as 
a clear safety benchmark. 

DOE has net specified the concept of comparability to an 
extent that would allov establishment of levels of safety to be 
attained. In the absence of specific objectives, judgments and 
interpretations are made in a decentralized and largely undocu- 
mented fashion to adapt selected commercial standards and to 
establish safety c teria for the DOE plants. This has resulted in 
^he arbitrary and inconsistent application of commercial standards 
the two production reactor sites. For example, the question of 
whether the production reactors would meet commercial reactor 
limits on radiation doses at the site boundary during and after an 
accident depends on basic assumptions concerning the hypotheti- 
cal performance of the producbio^i reactor confinement systems in 
preventing the release of radionuclides as compared to commercial 
reactor containment structures. 
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Since 1964 the Atomic Energy Commission (AEC) and NRC 
have employed a highly stylized set of criteria for determining, 
during the review of a reactor license, whether a license applicant's 
site is acceptable. These siting criteria are contained in Title 10 
Part 100 of the Code of Federal RegxdationB, [54] The provisions of 
10 CFR 100 define acceptable standards of radiation exposure at 
the site boundary caring normal operation and during accidents. 
DOE's contractors are required to use the provisions of 10 CFR 100 
as limiting conditions when conducting safety analyses of proposed 
modifications to the production teactors. [6] 

The requirements of 10 CFR 100 rest on an approach to 
the analysis of possible nuclear plant accidents that dates to a 
time when little was known about fission product release during 
reactor accidents. The analytical method for determi^mg site 
acceptability presented in 10 CFR 100 involves: 

... a fission product reie&se . . . based on a major accident, 
hypothesised for purposes of site analysis or postulated from con- 
sideration of possible accidental events, that would result in hasards 
not exceeded by those from any accident considered credible. Such 
accidents have generally been assumed to result in substantial melt- 
down of the core with subsequent release of appreciible quo^ntities 
of fission products. [55] 

Commercial practice for establishing compliance with these 
criteria has commonly been to choose a nonmechanistic accident 
that would lead to severe damage to the entire core of the reactor. 
This is then assumed to cause release to the containment building 
of all ihe noble-gas inventory, 50 percent of the iodine inventory, 
and 1 percent of the other fission products. Half of the iodine 
released is assumed to plate out on the structures in the contain- 
ment. The remainder of the fission products is assumed to be 
available to leak from the containment at a rate set by the design 
leak rate of the building, as this responds to the actual pressure in- 
duced by the accident, and the performance of contunment safety 
systems (e.g., sprays). 

In the commercial sector, therefore, the methodology for an- 
alyzing conformity to 10 CFR 100 is closely tied to containment 
of the nucleetr reactor and to the method for deriving radioactive 
"source terms'* reflected in 10 CFR 100. Analysis of conformity to 
10 CFR 100 for a reactor housed in a confinement structure, such 
as a production reactor, would require interpretation and adjust- 
ment of the analytical technique. How DOE and the contractors 
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have gone about demonstrating conformity of the N and Savannah 
River reactors to 10 CFR 100 illustrates the inconsistent applica- 
tion of conmiercial reactor standards to the production reactors. 

The analysis provided m the N-Reactor Safety Analysis Re- 
port [56] of conformity to 10 CFR 100 assumes a mechanistic 
accident initiated by a double-ended rupture of the largest pipe 
in the primary cooling system of the reactor. This is followed 
by the postulated failure of the emergency core cooling system 
(ECCS). The contractor's analysis of temperature transients in 
fuel deprived of primary coolant leads to the conclusion that, if 
this accident were to occur, about 32 percent of the fuel would 
melt, rather than the 100 percent assumed for commercial reac- 
tors. From this fuel, 100 percent of the noble gases, 50 percent of 
the iodine, and 1 percent of the other fission products are assumed 
to diffuse out, reaching the confinement building. There, about 
99.1 percent of the elemental iodine and 98 percent of the non- 
volatile fission products are calculated to be removed by the fog 
spray system, and further release of these constituents would be 
attenuated by the filters in the confinement vent paths. The frac- 
tion of fission products transmitted through the filters is assumed 
to be 2 X tO"* for elemental iodine and 10"* for particulates. 

The accident assumed in assessing 10 CFR 100 equivalence 
for the Savannah River reactors [52l is relatively inconsequential 
compared to others that might reasonably be regarded as equally 
probable or nearly so. The analysis is based on an accident that 
involves only a 3 percent core melt. Yet if the same accident were 
to be considered for a Savannah River reactor as was used in the 
N-Reactor analysis (that is, large pipe break followed by complete 
ECCS failure), the result v/ould be full core melt of the reactor in a 
short period of time. The fission product release from an accident 
of this magnitude, or even one approaching it, would likely exceed 
the guideline dose estimates of 10 CFR 100. 

10 CFR 100 was designed to assist in siting nuclear power 
plants with containments and provided a mechanism for balancing 
site population characteristics with containment design features 
in commercial reactor licensing. The production reactors, on the 
other hand, were sited prior to the promulgation of 10 CFR 100 
and built with confinements not containments. The attempt to 
use 10 CFR 100 at the production reactors as a standard for 
assessing the acceptability of plant modifications or comparability 
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with commercial re&rtors has been inconsistent and is difficult to 
defend. 

Efforts at the production ctors have focused on selecting 
and justifying hypothetical accidents for which the requirements of 
10 CFR 100 are met. Those hypothetical accidents have been less 
challenging (for example, assumptions of 3 percent and 32 percent 
core melt by the respective production reactor contractors versus 
the assumption of 100 percent core melt by conunercial reactor 
license applicants) than those specified in 10 CFR 100. At the 
same time, however, analyses at the production reactors of larger 
accidents involving lull core melt have been performed and used 
in designing new safety systems. [57] In effect, then, 10 CFR 100 
has been embraced as a means of demonstrating compliance in 
safety analysis reports rather than as a real tool for assuring the 
protection of the public. As noted in the main body of the report, 
DOE needs either to clarify the purposes for which 10 CFR 100 
is to be used or develop a more meaningful standard for assuring 
public health and safety. 
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Appendix I 
Selected Reactor Safety- Related 
Provisions of the Du Pont-DOE and 
UNC-DOE Contracts 



1. Provisions of the Du Pont-DOE Contract of October 24, 1984 

A. Excerpts from Article II — Description of the Undertaking 

. . The Contractor is requested and authorized, subject to the 
approval of the Department as hereinafter set forth ... to do 
all things which in the Contra'ttor's judgment are necessary or 
desirable for the development, design, construction, installation 
and operation of new production facilities and the performance of 
other work, within the scope of Appendix C. . . . 

. . The new production facilities . . . will involve certain technical 
developments which go beyond any experience which has been had 
at the Hanford Project or any other installation of the [Atomic 
Energy] Commission and the attainment by the Contract of the 
objectives of the project cannot b. assured. The Contractor under- 
takes to use ail reasonable efforts to carry out the project and to 
attain the objectives thereof. It is u iderstood and agreed, however, 
that all work hereunder is to be d >ne at the expense and risk of 
the Government and that the Contractor makes no representation 
or guarantee that such objectives will be achieved.** 

B. Excerpt from Article XXIII— Safety, Health, and Fire Protec- 
tion 

"The Contractor shall take all reasonable precautions in the per- 
formance of the work under this Contract to protect the health and 
safety of employees and of memb^r^ of the public and to minimize 
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danger from all hrjards to life and property, and shall comply with 
aU health, safety, and fire protection regulations and requirements 
(including reporting requirements) ct the AEC, In the event that 
the Contractor fails to comply with said regulations or require- 
ments . . . , the Contracting Officer may . . . issue an order stopping 
aU or any part of the work; thereafter a start order fcH* resump- 
tion of work may be issued at the discretion of the Contracting 
Officer. Additionally, in connection with both its construction and 
operations activities, the Contractor wiU also conform to its health, 
safety, and fire protection rules and practices.' 

C. Text of Article XLI— Nuclear R€actor Safety 

'The activities performed under this Contract include the operation 
of reactor . . . facilities. . . . The Contractor recognises that such 
operations involve the risk of a radiological incident which, while 
the chances are remote, could adversely affect the public health 
and safety as well as the environment. In the conduct of these 
activities, the Contractor will, therefore, exercise a degree of care 
commensurate with the risk involved. 

''The Contractor shall compiy with all applicable regulations of the 
Department concerning nuclear safety, and with those requirenients 
(including reporting requirements and instructions) of the Depart- 
ment concerning nuclear safety of which it is notified in writing by 
the Contracting Officer. 

''Prior to the startup of any reactor • • • and prior to any subsequent 
startup following a change which represents, in the opinion of the 
Contracting Officer or the Contractor, a significant deviation from 
the procedures, equipment, or analyses described in the safety 
analysis reports or other hasards summary reports foi that facility, 
the Contractor shall: 

a. Prepare a safety analysis report, technical specifi- 
cations . . . , admin btrative control piocedures, and 
detailed plans and procedures designed to assure the 
safe operation and maintenance of the facility. . . . 

b. Efltab^bh and document the nuclear safety control 
procedures to be used within the Contractor's organi- 
zation to ensure competent, independent review and 
internal approval of the safety analysis report, technical 
specifications . . . , and detailed plans and procedures 
specified . . . above. 
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c. Submit to the Contracting Officer for his approval 
such procedures relating to nuclear safety as may be 
designated by him. 

d. Carry out a program of initial traming, audit, and 
periodic requalification designed to assure that all per- 
sonnel who wiD be engaged in nuclear operations or 
maintenance understand and follow approved plans and 
procedures that ensure nuclear safety and are qualified 
to pcrfOTm their assigned functions. 

e. Obtain the approval of the Contracting Officer prior 
to startup ot the nuclear facility. 

*In the operation and maintenance of any reacts . . . facility under 
this Contract, the Contractor shall use all reasonable efforts to: 

a. Assure that all operational and maintenance activi- 
ti^ are performed by qualified and adequately trained 
personnel, and . . . are conducted mder the supervision 
of personnel who are quaLfied and authorised to evalu* 
ate any emergency condition, and take prompt effective 
action with respect thereto. 

b. Operate the reactors within the limits of the tech- 
nical specifications. . . . The Contracting Officer will 
consult with the Contractor in draftmg and revising 
such technical specifications. . . . 

c. Follow strictly the procedures relating to nuclear 
safety approved by the Contracting Officer in 3.a and 
3.C above and submit to the Contracting Officer for his 
approval any proposed changes in such procedures. 

d. Establish an auditable, well-defined internal nuclear 
safety review and inspection system approved by the 
Contractmg Officer (including review of inspection re- 
ports by competent technical personnel) that will: (i) 
provide frequent and periodic checks of facility perfor- 
mance and of the qualifications and training of oper- 
ating and maintenance personnel, and (ii) provide for 
investigation of any unusual or unpredicted conditions 
that might affect safe nuclear operations. 

e. Report promptly to the Contracting Officer any 
change in the physical condition of the nuclear facility 
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or its operating characterifltics that might, in the judg- 
ment of the Contractor, affect the safe operation of the 
facility. 

f. Shut down or terminate operations at the facility 
immediately whenever so instructed by the Contracting 
Officer, or whenever, in the judgment <A the Contractor, 
the risk of radiological incident endangering persons or 
property warrants such action. 

g. Prepare ... a plan for minimising the effects of 
a radiological incident upon the health and safety c'' 
all persons on the site; cooperate with the Contracting 
Officer in his preparation of a plan to protect the public 
offsite; instruct its personnel as to their participation 
in such plans and any personal risk to such personnel 
that may be involved; and participate in such practice 
exercises as may be desirable to assure the effectiveness 
of such plans. 

"In the operation, maintenance, or construction of any reactor . . . 
facility under this Contract, upon order of the Contracting Officer 
in the interest of nuclear safety, the Contractor <shall stop all or any 
part of the work. Any oral stop order shall be confirmed in writing. 
Thereafter, any order for resumption of the work must be issued in 
writing by the Contracting Officer." 

D. Text of Article LIII— Review of Federal and Department Reg- 
ulations and Directives 

"FVom time to time the Department will transmit to the Contrac- 
tor certain Federal and Department Regulations and Directives, 
the provisions of which the Contracting Officer proposes for imple- 
mentation by the Contractor under the Contract. The Contractor 
agrees promptly to: 

1. Review and evaluate the impact of such provisions on 
the Contractor's obligation under the Contract as well 
as on the safe and efficient operation and management 
of the Plant, and 

2. Either accept in writing or provide comments thereon 
to the Department. 
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After the Department reviews such comments and at its request, 
the Department and Contractor will jointly evaluate the applica- 
bility of such provisions to the Contract. For provisions to be 
adopted, the Contractor will provide a plan of implementation to 
the Department.* 

E. Elxcerpts from Appendix C — Scope of Work 

Purpose. . . It is the purpose of this Appendix *C'. . . to identify 
major additions to, and retirement of, facilities . . . and to define 
the activities expected to be required on a continuing basis. . . . 

Operation of the Plants. *It is the understanding of the parties that 
as to the facilities now available or contemplated; . . . 

• Develop and implement appropriate Quality Assurance programs. 

• Use of plant facilities for the following activities is specifically 
affirmed as work under the Contract: 

Maintenance of a continuing campaign to increase safety 
in reactor operation with special emphasis on the equiv- 
alence of production reactors to licensed reactors and 
on consultative assistance to the Nuclear Regulatory 
Commission." 

Provisions of the UNC DOE Contract of January 1, 1984, fl« 
amended 

A. Excerpts from Attachment 2, Statement of Work and Services, 
Part I, Work to be Performed Other Than Fuel Fabrication 

1. Reactor Operations and Management Services 

. . Operation of N Reactor shall include: operation of the 
N Reactor ... in a safe and productive manner; maintenance 
wl the reactor complex; management of associated wastes and 
control of effluents; storage and management of spent fuel; 
training; coordination with HGP on byproduct steam delivery 
and production planning. 

^Initiation of recommendations to DOE for the modifica- 
tion, improvement, alteration, or repair of existing facilities 
or construction of new facilities as the Contractor considers 
essential for the continued safe and efficient operation of the 
faciliti'is. Due consideration will be given to the impact on 
the environment. 
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2. General 

•The Contractor «hall perform the maintenance wrrk ne'-es- 
sary for the efficient operation of the fac'^'ties to the extent 
such work is included in work programs agreed to in writing 
between the Contractor and DOE. Projects which . . . requ'^v 
the issuanc* of a directive therefore by DOE shall not be 
undertaken until such directive has been issued. 

"In carrying out the work under this contract, the Contractor 
shall be responsible for the employment >f all professional, 
technical, skilled, and unskilled personnel engaged ... by the 
Contractor . . . , and for the training of personnel. . . 

3 Attachment 3: General Provisions 

• ''Safety and Health 

The Contractor shall take all ^-^asonaMe precautions 
in the performance of the work under this contract to 
protect the eafety and health of employees and of mem-* 
bers of the public and shall comply with all applicable 
Si.fety and healtn regulations and requirements (includ- 
ing reporting requirements) x-f DOE. The '^'^ntracting 
Officer shall notify, in writing, the Contractor of any 
noncompliance with the provisions of this clause and 
the corrective action to be taken. Afte_ receipt of such 
notice, the Contractor shall immediately take such cor- 
rective action. In the event that the Contractor fails to 
com^ *y with said regulations or requirements of L'OE, 
the Contracting Offi may . . . issue an order topping 
all or any part of the worl ; thereafter a start ordei fc^ 
resumption of the work may be issued at the Ji^rr^tion 
of the Contracting Officer. . . . 

• "Nuclear Facility Safety Applicability 

a. The activities under this contract include the op- 
eration of nuclear facilities. The Contractor recognizes 
that such operation involves the risk if a radiological 
incident which, while the chances are nmote, coula ad- 
versely affect the public hcdth and safety as well as the 
environment. Therefore, the Contractor will exercise a 
degree of care comme* surate with the risk Involved. 



253 



b. The Contractor shall comply with all applicable 
regulations of DOE concerning nuclear safety and with 
those requirements (including reporting requirements 
-nd in-*ructio^s) of DOE concerning nuclear safety of 
which . s notined in writing by the Contracting Officer. 

c. Prior to the initial startup of any nuclear facility 
under thir ^.ontract and prior to any subsequent startup 
following a change which repr^^sents a significant de- 
viation from the procedures, equipment, or analyses 
described in th( s Jety analysis reports or other haiards 
summary reports for that facility, the Contractor shall: 

1. Prepare a safety analysis report including tech- 
nical specifications and detailed plans and proce- 
duri;B designed to assure the safe operations and 
maintenance of the facility. 

2. Establish nuclear safety control procedures to 
be used within the Contractor's organization to 
insure competent independent review aitd internal 
approval of the safety analysis report and the de- 
tailed plans and procedures specified in (1) above. 

3. Submit to the Contracting Officer for his ap- 
proval buch procedures relating to nuclear safety 
as may be designated by him. 

4. Carry out a program of initial training and 
periodic reqi'-lification designed to ass^^re that aU 
personnel vfiio will be engaged in nuclear oper- 
ations or maintenance understand the approved 
plans and procedures for nuclear safety and are 
qualified to perform their assigned functions. 

5. Obtain the app*-oval of the Contracting Officer 
priox- to start-up of the facility. 

d. In the operation and maintenance of any nuclear 
facility under this contract, the Contractor shall: 

1. Use aP .asonable efforts t sure that all 
operational and maintenance activities are per- 
formed by qualified and adequately trained per- 
sonnel, and except as otherwise agreed in writing, 
are ccnducted under the supervision of personnel 
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who are qualified and authorised to evaluate any 
emergency condition and take prompt effective 
action with respect thereto. 

2. Operate the facility within the technical spec- 
ifications which are approved by the Contracting 
Officer. 

3. Follow strictly th^ procedures relating to nu- 
clear safety approved by the Contracting Officer 
in (c)(3) above, and submit to the Contracting 
Officer for his approval, any proposed changes in 
such procedures. 

4. Establish an audit able, weltdefined, internal 
safety review and inspection system approved by 
the Contracting Officer (including review of in- 
spection reports by competent technical person- 
nel) that will: (a) provide frequent and periodic 
checks of facility pcrfcrniance and of the qualiSca- 
tions and training of operating and maintenance 
personnel, and (b) provide for investigation of any 
unusual or unpredict«^d conditions that might af- 
fect safe operation. 

5. Report promptly to the Contracting Officer 
any change in the physical condition of the facil- 
ity or its operating characteristics that might, in 
the judgment of the Contractor, affect the aafe 
operatk>n of the facility. 

6. Terminate operations at the facility immedi- 
ately whenever so instructed by the Contracting 
Officer, or whenever, in the judgment of the Con- 
tractor, the risk of a radiological incident endan- 
gering persons or property warrants such action. 

7. Prepare, in cooperation with other services 
and facilities available ".t the site anu with the 
approval of the Contracting Officer, a plan for 
minihiizing the effects of a radiological incident 
upon the health and safety of ail persons on the 
site; cooperate with the Contracting Officer in his 
preparation of a plen to protect the public off-site; 
ii ^ruct its personnel as to their participation in 
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such plani and any personal risk to such personnel 
that may be involved; and participate in such 
practice exercises as may be desirable to assure 
the effectiveness of such plans. 

8. At an appropriate time as determined by the 
Contracting Officer, prepare and submit to the 
Contricting Officer for hiB approval, shutdown, 
decommissioning, decontamination, and property 
management plans leading to orderly and safe 
program disposition of the nuclear facility and 
any associated nuclear wastes or other hazardous 
material. 

9. In the event that the Contractor fails to comply 
with said standards and requirements of DOE, 
the Contracting Officer may, without prejudice 
to any other legal or contractual rights of DOE, 
issue an order stopping all or any part of the work; 
thereafter a start order for resumption of the \.ork 
may be issued at the discretion of the Contracting 
Officer, '^he Contractor shall make no claim for an 
extension of time or for compensation or damages 
^y reason of or in connection with such work 
stoppage." 
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RICHARD A. MESERVE is a partner in the Washington 
law firm of Covington k Burling. He holds both a law degree 
from Harvard Law School and a Ph.D. degree in applied physics 
from Stanford University, where he did postdoctoral work on the 
theoretical properties of paramagnets and techniques to calculate 
molecular properties. In 1976, he was a clerk for Supreme Court 
Justice Harry A. Blackmun, and in 1977 he was appointed Legal 
Counsel and Senior Polic) Analyst in the White House Office of 
Science and Technology Policy (OSTP). At OSTP he helped de- 
velop policies designed to promote the technological advance of 
American industry and conducted reviews of energy technology 
issues. In addition, he served as executive direccor of an intera- 
gency committee concerned with nuclear power plant safety. Mr. 
Meserve has been a member of several study committees of the 
National Research Council, including most recently the Panel to 
Study the Impact of National Securty Controls on International 
Technology Transfer. 

DAVID C. ALDRICH is an assistant vice president at Science 
Applications International Corporation (SAIC). He has worked 
prinriarily on nuclear facility safety and waste management prob- 
lems, and is an expert in radiological accident health, environ- 
mental, and economic consequence evaluation. Prior to joining 
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SAIC, Dr. Aldrich was supervisor of the Safety and Environmen- 
tal Studies Division of Sandia National Laboratories, where he 
worked on a wide variety of reactor safety issues, including man-- 
agement of an NRC-sponsored program to develop a new set of risk 
assessment computer codes covering thermal-hydraulir behavior, 
fission product source terms, and oflFsite consequences of severe 
reactor accidents. He is a member of an International Atomic 
Energy Agency (IAEA) advisory group on emergency response 
decisionmaking, and is active in the Organization for Ek:onomic 
Cooperation and Development (OECD) Nuclear Energy Agency 
(NEA), having served as chairman of NEA's Group of Experts on 
Radiological Accident Consequences. 

GEORGE APOSTOLAKIS id a professor in the i^^echanical, 
Aerospace, and Nuclear Engineering Department of the Univer- 
sity of California, Los Angeles. His research activities are in the 
development of methods for the assessment of risks from complex 
technological systems, nuclear reactor safety, and toxic waste dis- 
posal. He has published extensively on data analysis, human error 
modeling, and fire risk assessment. He has been a consultant on 
probabilistic risk assessment to private industry, government and 
national laboratories, as well as international organizations. He 
is a founding member and currently the president of the southern 
California chapter of the Society for Risk Analysis. He is also 
a vice president of the American Association for Structural Me- 
chanics in Reactor Technology. He is coeditcr of the international 
journal Reliability Engineering and System Safety. 

RICHARD S. DENNING is senior research leader for nuclear 
safety at Columbus Laboratories, Battelle Memorial Institute. He 
is an acknowledged expert in radioactive source term and sevi re 
accident research. His work focuses on reactor safety and risk, 
including core ii*c!uiown behavior, radionuclide transport, tran- 
sient thermei hydraulics, and cnticality and shielding analysis. He 
holds a Ph.D. degree in nuclear engineering from the University of 
Florivla. 

RONALD GAUSDEN is currently a consultant on nuclear 
energy. He is the former chief inspector of the Nuclear Installations 
Inspectorate (Nil) of the U.K. Health and Safety Executive. From 
1960 to 1978, Mr. Gausden served in a number of supervisory 
positions at the NIL Prior to that, he was group manager at 
Windscale, where in 1957 a production reactor overheated during 
a Wigner energy release causing a graphite fire and release of 
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radioactive particulates. He has authored papers for profeasional 
conferences on nuclear safety standards and nuclear power plant 
regulatory procedures, and in 1982 was awarded the C.B. for 
meritorious public service by Her Majesty the Queen. 

DAVID L. HETRICK is professor of nuclear and energy en- 
gineering at the University of Arizona in TVicson. His research 
interests center on reactor dynamics and simulation. He is an ad- 
ministrative judge for the U.S. Nuclear Regulatory Commission, 
and has recently served as an IAEA technical expert on assignment 
to Mexico's Institute de Inver igaciones Electricas. Dr. Hetrick has 
also been a visiting professor of nuclear engineering at the Univer- 
sity of Bologna, Italy. He has served as a consultant on reactor 
d> namics to government and industry and is the author of many 
articles on reactor physics and nuclear safety. 

WILLIAM KASTENBERG is chairman of the Mechanical, 
Aerospace, and Nuclear Engineering Department at the University 
of California, Los Angeles. Hid research focuses on nuclear reactor 
safety, the development of ri2»k-!>enefit and cost-benefit aaalysis, 
and e.ivironmental modeling for nuclear po^'er installations. He 
has served as a senior fellow of the Advisory Committee on Reactor 
Safeguards, where hv developed methods for applying probabilistic 
acceptance criteria to nuclear and nonnuclear technologies. He 
has been a consultant to a number of other governmental panels, 
including the President's Nuclear Safety Oversight Conmiittee. 
He is the author of over 100 journal and proceedings publications 
relating to reactor safety and risk asseso.nent, and recently served 
as a member of the National Research Council's Conunittee on 
Nuclear Safety Research. 

HERBERf KOUTS is chairman of the Depurtment of Nuclear 
Energy at Bn okhaven National Laboratory. He was the fi/st di- 
rector of the Nuclear Regulatory Commission's (NRC's) OfKce of 
Nuclear Regulatory Research, having previously headed the Divi- 
sion of Reactor Safety Research at the Atomic Energy Commission. 
He is a former member and chairman of the Advisory Conmiittee 
on Reactor Safeguards, and has been affiliated, either as a consul- 
tant or as a member, with a number of national and international 
groups focusing on reactor safety and safeguards, including the 
NRC's Risk Assessment Review Grojp, the President's Nuclear 
Safety Oversight Committee, the European-American Conrmiittee 
on Reactor Physics, the DOE Defense Energy Task Force, the 
American Nuclear Society (ANS) Special Committee on Source 
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Ternw, and several New York city and state advisory commissions 
on nuclea'- issues. He has also served on several advisory panels to 
review the safety of the N Reactor and the Fast Flux Test Facility. 
He is currently a member of the IAEA's Internationa' Nuclear 
Safety Advisory Group and the National Academy of Engineering, 
and is the recipient of several distinguished awards. 

DAVID D. LANNING is professor of nuclear engineering at 
ihe Massachusetts Institute of Technology (MIT). He has been 
a consultant to a number of firms active in the electric utility 
and nuclear industries, including Stone and Webster Engineer- 
ing Corporation, Northern SUtes Power, Boston Edisori, and GA 
Technologies. His professional interests include nuclear engineer- 
ing education and the design, safety, control, and opereMon of 
nuclear reactor systems. In the 1950s he worked for General Elec- 
tric (GE) at Hanford and in the 19608 for Battelle Northwest 
Laboratories. At MIT, lie has been a co-principal investigator of 
MIT's Program on Nuclear Power Plant Innovation in the area of 
modular high-temperature, gas-cooled reJictors and he is also the 
group coordmator for the Advanced Instrumentation and Control 
Program in the MIT Nuclear Engineering Department. 

KAI N. LEE is associate professor at the Institute of Environ- 
mental Studies and in the Department of Political Science at the 
University of Washington. He is also a member of the Northwest 
Power Planning Co -ncil, having been appointed to the Council 
the governor of the State of Washington. He is a former mem- 
ber of the Office of Technology Assessment's advisory panel cn 
radioactive waste disposal, and has served on a number of Na- 
tional Research Council committees, including past membership 
on the Environmental Studies Board and current membership on 
the Board on Radioactive Waste Management. His research in- 
terests include energy and environmental policy, regional power 
development, nuclear waste management, environmental conflict 
and dispute settlement, and the influence of technological change 
on American political life. 

SALOMON LEVY is president and chief executive officer of 
S. Levy Incorporated, an engineering consulting firm based in 
Campbell, California, and also adjunct professor of mechanical 
enginef ring at the University of California at Lm Angeles. Dr 
Levy is a former general manager of boiling water reactor oper- 
atiois at GE. His research has included studies of heat transfer 
and fluid flow, particularly two-phase flow, and nuclear reactor 
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power plant design and analysis. He is a member of the National 
Academy of Engineering and a fellow of the American Society of 
Mechanical Engineers. 

DANA A. POWERS is supervisor of the Reactor Accident 
Source Terms Division of Sandia National Laboratories. Dr. Pow- 
ers' particular research interests are the thernK>dynamic8 and ki- 
netics of material processes under severe reactor accident condi- 
tions. He has worked extensively on core debris interactions with 
concrete and the behavior of radionuclides under accident condi- 
tions. He has served as a consultant to the Advisory Committee 
on Reactor Safeguards, the International Atomic Energy Agency's 
review of the Chernobyl accident, and the Rogovin Commission 
review of the Three Mile Island accident. 

HENRY E. STONE recently became a consultant after a 38- 
year career with GE in nuclear-related activities. He was at Knolls 
Atomic Power Laboratory from IPSO to 1973 in various positions 
of re^ u>r and plant design, construction, operation, and training 
and was generaJ nutnager for the last six years. In 1974 he became 
manager of operational planning in the GE conmiercial nuclear 
business and in 1975 he became general manager of GE's Boiling 
Waur Reactor Systems Department. In 1977 he became general 
manager of tLc Nuclear Energy Engineering Division, with respon- 
sibility for boiling vater reaclor engineering, engineered equipment 
procurement, and operation of the Vallecitos Nuclear Center. In 
the early 19808 he served on an NAS committee studying nuclear 
technology for space application and on a DOE safety panel of 
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